Esc
Thread Execution Hijacking - T1055.003
(ATT&CK® Technique)
Definition
Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1055003["Thread Execution Hijacking"] --> |invokes| SystemCall["System Call"]; class T1055003 OffensiveTechniqueNode; class SystemCall ArtifactNode; click SystemCall href "/dao/artifact/d3f:SystemCall"; click T1055003 href "/offensive-technique/attack/T1055.003/"; click SystemCall href "/dao/artifact/d3f:SystemCall"; T1055003["Thread Execution Hijacking"] --> |may-add| ExecutableBinary["Executable Binary"]; class T1055003 OffensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; click T1055003 href "/offensive-technique/attack/T1055.003/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | may-detect | T1055003["Thread Execution Hijacking"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | SystemCall["System Call"]; SystemCallAnalysis["System Call Analysis"] -.-> | may-detect | T1055003["Thread Execution Hijacking"] ; class SystemCallAnalysis DefensiveTechniqueNode; class SystemCall ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; DynamicAnalysis["Dynamic Analysis"] -.-> | may-detect | T1055003["Thread Execution Hijacking"] ; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | ExecutableBinary["Executable Binary"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | may-detect | T1055003["Thread Execution Hijacking"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] --> | deletes | ExecutableBinary["Executable Binary"]; FileEviction["File Eviction"] -.-> | may-evict | T1055003["Thread Execution Hijacking"] ; class FileEviction DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableBinary["Executable Binary"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | may-isolate | T1055003["Thread Execution Hijacking"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableBinary["Executable Binary"]; ExecutableDenylisting["Executable Denylisting"] -.-> | may-isolate | T1055003["Thread Execution Hijacking"] ; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableBinary["Executable Binary"]; LocalFilePermissions["Local File Permissions"] -.-> | may-isolate | T1055003["Thread Execution Hijacking"] ; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; DecoyFile["Decoy File"] --> | spoofs | ExecutableBinary["Executable Binary"]; DecoyFile["Decoy File"] -.-> | may-deceive | T1055003["Thread Execution Hijacking"] ; class DecoyFile DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; FileEncryption["File Encryption"] --> | encrypts | ExecutableBinary["Executable Binary"]; FileEncryption["File Encryption"] -.-> | may-harden | T1055003["Thread Execution Hijacking"] ; class FileEncryption DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; FileAnalysis["File Analysis"] -.-> | may-detect | T1055003["Thread Execution Hijacking"] ; class FileAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | ExecutableBinary["Executable Binary"]; RemoteFileAccessMediation["Remote File Access Mediation"] -.-> | may-isolate | T1055003["Thread Execution Hijacking"] ; class RemoteFileAccessMediation DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; SystemCallFiltering["System Call Filtering"] --> | filters | SystemCall["System Call"]; SystemCallFiltering["System Call Filtering"] -.-> | may-isolate | T1055003["Thread Execution Hijacking"] ; class SystemCallFiltering DefensiveTechniqueNode; class SystemCall ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; RestoreFile["Restore File"] --> | restores | ExecutableBinary["Executable Binary"]; RestoreFile["Restore File"] -.-> | may-restore | T1055003["Thread Execution Hijacking"] ; class RestoreFile DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile";