DET0106: Behavioral Detection of PE Injection via Remote Memory Mapping
DET0106 is a MITRE ATT&CK detection strategy for identifying behavior consistent with Portable Executable Injection through remote memory mapping. The busi...
Analyst context for executives and security teams
DET0106 is a MITRE ATT&CK detection strategy for identifying behavior consistent with Portable Executable Injection through remote memory mapping. The business significance is that PE injection can let malicious code run inside another live Windows process, which may reduce the usefulness of simple process-name or file-on-disk controls and complicate incident scoping.
Executive priority
Treat this as a control-validation item for Windows endpoint visibility and SOC readiness. Leaders should ask whether current endpoint telemetry can show suspicious cross-process memory activity, not just malware files or process launches. Because the ATT&CK object has no official detection text or platform list, coverage claims should be proven with local testing and evidence, especially for privilege-escalation and stealth scenarios tied to T1055.002.
Technical view
This detection strategy is related to ATT&CK technique T1055.002, Portable Executable Injection, whose supplied context describes copying code into another process address space and invoking it through a new thread. SOC and detection engineering teams should validate whether their Windows telemetry can correlate process lineage with remote memory mapping or write activity, thread creation, and unusual executable image behavior inside a target process. The strategy object itself does not provide official detection logic, so implementations should be treated as environment-specific analytics rather than a MITRE-provided rule.
Likely telemetry
- Windows endpoint process creation and parent-child lineage
- Cross-process memory mapping, allocation, or write events where available
- Remote thread creation or thread start telemetry where available
- Image/module load and in-memory execution indicators
- EDR or host sensor alerts related to process injection behavior
Detection direction
- Validate visibility for the related Windows technique T1055.002 rather than assuming DET0106 supplies a complete analytic.
- Correlate multiple behaviors: a source process interacting with another process memory space, followed by execution within the target process.
- Tune for legitimate software that performs injection-like activity, such as security tools, updaters, debuggers, or accessibility/management software.
- Prioritize unusual source-target process pairs, unexpected privilege boundaries, and activity involving sensitive or long-running processes.
- Document blind spots where host sensors cannot observe memory mapping, remote thread creation, or in-memory PE characteristics.
Mitigation priorities
- Start with endpoint visibility and retention sufficient to investigate process injection behavior on Windows systems relevant to critical operations.
- Harden privileged access and reduce unnecessary administrative rights because the related technique is associated with privilege escalation.
- Use application control, attack surface reduction, and least-privilege controls where appropriate to limit untrusted code execution paths.
- Ensure incident response playbooks include memory-focused triage and process lineage review, not only file quarantine.
- Maintain audit evidence showing what telemetry is collected, what detections exist, and where compensating controls cover gaps.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with name and relationship context but no official description or official detection text. The strongest supported interpretation is that it is intended to detect T1055.002 Portable Executable Injection, which is an enterprise Windows technique associated with stealth and privilege escalation.
Platforms and tactics are not specified on the detection-strategy object itself. Windows, stealth, and privilege-escalation context come from the related T1055.002 technique. No active exploitation, attribution, impact, or guaranteed detection coverage is supported by the supplied fields.
Behavioral Detection of PE Injection via Remote Memory Mapping
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055.002 | Portable Executable Injection Sub-technique | This object detects Portable Executable Injection. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c5974a070cc6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0106Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.