Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO
Huseyin Can YUCEEL | March 05, 2025 | 3 MIN READ

LAST UPDATED ON MARCH 05, 2025

MITRE ATT&CK T1055.003 Process Injection: Thread Execution Hijacking

Thread Execution Hijacking is a technique that allows an attacker to execute arbitrary code in the context of a separate process on a computer. This technique enables attackers to execute malicious code in the context of a trusted application, making it significantly harder for security solutions to detect suspicious activity. Instead of creating a new process or injecting a separate thread, the attacker takes control of an existing one, redirecting its execution to a malicious payload while maintaining the appearance of normal operation.

In this blog post, we explain the T1055.003 Thread Execution Hijacking technique of the MITRE ATT&CK® framework and explore how adversaries employ Thread Execution Hijacking with real-world attack examples in detail.

rr25-mockup1

 

  


The Red Report 2025
The 10 Most Prevalent MITRE ATT&CK Techniques
Used by Adversaries

GET THE REPORT


Adversary Use of Thread Execution Hijacking

Adversaries start to employ the Thread Execution Hijacking technique by finding a suitable process to hijack. This could be a process that is running with high privileges or a process that is trusted by other programs on the system. Once found, malware suspends the target process, unmaps/hollows its memory, and then injects malicious shellcode or DLL into the process. Finally, they would need to redirect the execution of a thread in the process to the injected code. 

This technique is similar to the Process Hollowing technique, but instead of creating a new process in a suspended state, it aims to find an already existing process on the target system.

Below is the general attack lifecycle typically followed by adversaries performing Thread Execution Hijacking attacks:

  1. Process Handle Acquisition: The attacker acquires a handle to the target process into which they want to inject code. This involves using the OpenProcess API with appropriate access rights, such as PROCESS_VM_OPERATION, PROCESS_VM_WRITE, and PROCESS_VM_READ.

  2. Thread Suspension: Once the handle to the process is obtained, the attacker identifies a thread within that process to hijack. The OpenThread API is then used to get a handle on this thread, which is suspended using SuspendThread to prevent it from executing any more instructions while the attack is carried out.

  3. Memory Allocation: After successfully suspending the thread, the attacker allocates memory in the virtual address space of the target process. This is typically done with VirtualAllocEx, specifying MEM_COMMIT and PAGE_EXECUTE_READWRITE as the desired memory state and protection. This ensures that the allocated memory is both executable and writable.

  4. Writing Shellcode: With the memory allocated, the attacker writes their malicious payload (shellcode) to the allocated space using the WriteProcessMemory function, which copies data from the attacker's buffer to the allocated memory in the target's process space.

  5. Hijacking Thread Context: The attacker then hijacks the thread's execution context by retrieving it with GetThreadContext, which includes register values. The EIP register (on x86 architectures) or RIP register (on x86-64 architectures) within the context is set to point to the address of the shellcode in the allocated memory.

  6. Context Manipulation: After altering the context to point to the malicious code, SetThreadContext is used to apply the modified context to the suspended thread. This changes the execution flow of the thread to the injected shellcode.

  7. Thread Resumption: Finally, the attacker resumes the thread with the ResumeThread function. The thread will continue execution at the new entry point specified by the altered EIP/RIP register, thereby executing the attacker's malicious code within the context of the target process.

It is common to see the thread execution hijacking technique in the wild. In January 2024, Lumma Stealer was reported to use a thread execution hijacking technique [1]. Adversaries use encoded PNG files to evade detection and malware analysis. Before deciphering the Lumma Stealer, the attacker checks for remote debugger strings such as ollydbg, windbg, and ida by invoking GetForegorundWindow. After completing Anti-VM and Anti-Debug checks, adversaries decrypt encoded PNG files and inject Lumma Stealer into target processes using the SuspendThread function.

In another example, Zloader malware was found to inject CyberMesh.exe into msiexec.exe using the thread execution hijacking technique [2]. Adversaries used the CreateUserProcess, AllocateVirtualMemory, WriteVirtualMemory, GetContextThread, SetContextThread, ProtectVirtualMemory, and ResumeThread syscalls to start, suspend, and inject malware into msiexec.exe.

References

[1] C. Lin, "Deceptive Cracked Software Spreads Lumma Variant on YouTube," Fortinet Blog, Jan. 08, 2024. Available: https://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube

[2] "ZLoader's Back Again: Threat, Indicators & Tooling Details," Deepwatch, Jan. 31, 2024. Available: https://www.deepwatch.com/blog/guess-whos-back-zloaders-back-back-again/

Table of Contents

MITRE ATT&CK T1055.013 Process Injection: Process Doppelgänging
MITRE ATT&CK MITRE ATT&CK T1055.013 Process Injection: Process Doppelgänging
Learn More
MITRE ATT&CK T1055.005 Process Injection: Thread Local Storage
MITRE ATT&CK MITRE ATT&CK T1055.005 Process Injection: Thread Local Storage
Learn More
MITRE ATT&CK T1055.003 Process Injection: Thread Execution Hijacking
MITRE ATT&CK MITRE ATT&CK T1055.003 Process Injection: Thread Execution Hijacking
Learn More
MITRE ATT&CK T1055.012 Process Injection: Process Hollowing
MITRE ATT&CK MITRE ATT&CK T1055.012 Process Injection: Process Hollowing
Learn More
MITRE ATT&CK T1055.011 Process Injection: Extra Window Memory Injection
MITRE ATT&CK MITRE ATT&CK T1055.011 Process Injection: Extra Window Memory Injection
Learn More
MITRE ATT&CK T1055.009 Process Injection: Proc Memory
MITRE ATT&CK MITRE ATT&CK T1055.009 Process Injection: Proc Memory
Learn More
MITRE ATT&CK T1055.008 Process Injection: Ptrace System Calls
MITRE ATT&CK MITRE ATT&CK T1055.008 Process Injection: Ptrace System Calls
Learn More
MITRE ATT&CK T1055.004 Process Injection: Asynchronous Procedure Call
MITRE ATT&CK MITRE ATT&CK T1055.004 Process Injection: Asynchronous Procedure Call
Learn More
MITRE ATT&CK T1055.002 Process Injection: Portable Executable Injection
MITRE ATT&CK MITRE ATT&CK T1055.002 Process Injection: Portable Executable Injection
Learn More