Detailedlikelihood: Lowseverity: HighStable

CAPEC-640Inclusion of Code in Existing Process

Abstraction
Detailed
Status
Stable
Likelihood
Low
Severity
High

Description

The adversary takes advantage of a bug in an application failing to verify the integrity of the running process to execute arbitrary code in the address space of a separate live process. The adversary could use running code in the context of another process to try to access process's memory, system/network resources, etc. The goal of this attack is to evade detection defenses and escalate privileges by masking the malicious code under an existing legitimate process. Examples of approaches include but not limited to: dynamic-link library (DLL) injection, portable executable injection, thread execution hijacking, ptrace system calls, VDSO hijacking, function hooking, reflective code loading, and more.

Related weaknesses· 2

CWE-114CWE-829

MITRE ATT&CK crosswalk· 4

T1505.005: Server Software Component: Terminal Services DLLT1574.006: Hijack Execution Flow: Dynamic Linker HijackingT1574.013: Hijack Execution Flow: KernelCallbackTableT1620: Reflective Code Loading

Related attack patterns· 1

CAPEC-251 (ChildOf)

Exploits2

TypeTargetConfidenceTier
WeaknessInclusion of Functionality from Untrusted Control Spherecwe-829100%live
WeaknessProcess Controlcwe-114100%live

Related to4

TypeTargetConfidenceTier
SubTechniqueKernelCallbackTablet1574.013100%live
SubTechniqueDynamic Linker Hijackingt1574.006100%live
TechniqueReflective Code Loadingt1620100%live
SubTechniqueTerminal Services DLLt1505.005100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Code Inclusion
CAPEC
Code Injection
CAPEC
Local Code Inclusion
CAPEC
Remote Code Inclusion
Sub-technique
Portable Executable Injection
Technique
Process Injection
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.