Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0297: Analytic 0297

Detects PE injection through a behavioral sequence where one process opens (OpenProcess) a handle to another, allocates remote memory (VirtualAllocEx), writes a PE header (MZ) or shellcode (WriteProcessMemory), then initiates a new thread (CreateRemoteThread or NtCreateThreadEx) in that process—executing injected code in memory without touching disk. Optional: injects a trampoline or shellcode that unpacks/reflectively maps the payload.

EnterpriseAN0297AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting Windows process injection behavior where code is placed into another process and run from memory rather than written to disk. For leaders, the significance is that this kind of behavior can bypass file-focused controls and make incident scoping harder unless endpoint telemetry captures process access, memory allocation, memory writes, and remote thread creation events.

Executive priority

Prioritize this as a validation item for endpoint visibility and response readiness on Windows systems. The business question is not only whether malware is blocked, but whether the SOC can prove when one process manipulates another in memory, investigate the source and target process, and preserve enough evidence for containment, compliance reporting, and post-incident assurance.

Technical view

For SOC and detection engineering teams, validate whether Windows endpoint telemetry can correlate a behavioral chain involving a process opening a handle to another process, allocating memory in that remote process, writing PE-like content or shellcode indicators, and starting execution through remote thread creation APIs such as CreateRemoteThread or NtCreateThreadEx. Because no official detection logic is supplied, implementation should focus on correlation quality, process lineage, source and target process context, and expected administrative or security-tool behaviors that may resemble parts of the sequence.

Likely telemetry

  • Windows endpoint process telemetry showing source and target process relationships
  • API or EDR events for OpenProcess-style cross-process handle access
  • Remote memory allocation events such as VirtualAllocEx
  • Cross-process memory write events such as WriteProcessMemory
  • Remote thread creation events including CreateRemoteThread or NtCreateThreadEx where available

Detection direction

  • Validate correlation across the full sequence rather than alerting on a single API event in isolation.
  • Tune for source process, target process, user context, signer, and parent-child lineage to reduce false positives from legitimate debuggers, security tools, administrative utilities, or application compatibility components.
  • Confirm whether telemetry captures in-memory behavior; file, command-line, and network logs alone are unlikely to provide complete coverage for this analytic.
  • Prioritize suspicious combinations where an unusual or low-reputation source process injects into a sensitive, long-running, or unexpected target process.
  • Document gaps where EDR or audit configuration does not expose memory allocation, memory write, or remote thread creation details.

Mitigation priorities

  • Ensure Windows endpoints that matter to business continuity are covered by telemetry capable of observing cross-process memory manipulation.
  • Harden and monitor administrative privileges because process injection visibility and response depend heavily on user and process context.
  • Use application control, least privilege, and endpoint protection policies to reduce opportunities for untrusted processes to execute and manipulate other processes.
  • Prepare incident response procedures for collecting process lineage, memory-related telemetry, and affected host evidence when this analytic fires.
  • Review detection coverage as part of compliance and resilience evidence, especially where fileless or memory-resident execution is in scope for risk assessments.
Analyst notes and limits

The ATT&CK object provides a behavioral description for a Windows detection analytic but does not include an official detection query, tactics, related techniques, or relationship context. Treat this as a coverage and validation guide rather than a ready-to-deploy rule.

This take is limited to the supplied STIX fields and the external MITRE reference. It does not establish active exploitation, attribution, prevalence, impact, or guaranteed detectability. Local endpoint tooling, logging depth, and baseline knowledge are required to determine practical coverage and false-positive rates.

Official MITRE ATT&CK definition

Analytic 0297

Detects PE injection through a behavioral sequence where one process opens (OpenProcess) a handle to another, allocates remote memory (VirtualAllocEx), writes a PE header (MZ) or shellcode (WriteProcessMemory), then initiates a new thread (CreateRemoteThread or NtCreateThreadEx) in that process—executing injected code in memory without touching disk. Optional: injects a trampoline or shellcode that unpacks/reflectively maps the payload.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
560129d6e0d50264...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 560129d6e0d5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0297
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use