T1631 Process Injection
Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Both Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.
| Item | Value |
|---|---|
| ID | T1631 |
| Sub-techniques | T1631.001 |
| Tactics | TA0030, TA0029 |
| Platforms | Android, iOS |
| Version | 1.1 |
| Created | 30 March 2022 |
| Last Modified | 20 March 2023 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0041 | Application Vetting | API Calls |