CAPEC-640: Inclusion of Code in Existing Process
ID
CAPEC-640
Typical Severity
High
Likelihood Of Attack
Low
Status
Stable
The adversary takes advantage of a bug in an application failing to verify the integrity of the running process to execute arbitrary code in the address space of a separate live process. The adversary could use running code in the context of another process to try to access process's memory, system/network resources, etc. The goal of this attack is to evade detection defenses and escalate privileges by masking the malicious code under an existing legitimate process. Examples of approaches include but not limited to: dynamic-link library (DLL) injection, portable executable injection, thread execution hijacking, ptrace system calls, VDSO hijacking, function hooking, reflective code loading, and more.
Weaknesses
Taxonomiy Mapping
Type | # ID | Name |
---|---|---|
ATTACK | 1505.005 | Server Software Component: Terminal Services DLL |
ATTACK | 1574.006 | Hijack Execution Flow: Dynamic Linker Hijacking |
ATTACK | 1574.013 | Hijack Execution Flow: KernelCallbackTable |
ATTACK | 1620 | Reflective Code Loading |