T1055.003: Thread Execution Hijacking
Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.
Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.[1]
This is very similar to Process Hollowing but targets an existing process rather than creating a process in a suspended state.
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process.
Analyst context for executives and security teams
Thread Execution Hijacking matters because malicious code can run inside a legitimate Windows process, making process-name-based trust and basic allow/deny logic less reliable. For leaders, the practical issue is not just malware execution; it is whether endpoint controls, SOC telemetry, and incident response playbooks can recognize suspicious thread suspension, memory modification, and context switching when the visible process may appear normal.
Executive priority
Prioritize this as a Windows endpoint defense-evasion and privilege-escalation concern under Process Injection. It can affect incident decision-making because a trusted process may be the execution container for malicious activity. Security leaders should ask whether endpoint behavior prevention is deployed and tuned, whether SOC teams collect the endpoint events needed to investigate injection-like behavior, and whether audit/compliance evidence demonstrates coverage beyond simple malware signatures or process names.
Technical view
This is a Windows sub-technique of Process Injection associated with stealth and privilege escalation. ATT&CK provides no official detection text, but the relationship to DET0295 points defenders toward behavioral detection of thread execution hijacking through thread suspension and context switching. SOC and detection teams should validate visibility into suspicious cross-process/thread activity, memory allocation or writes into another process, thread context changes, and resumed execution in a process whose behavior no longer matches its normal profile. Investigations should treat the apparent host process carefully, because execution may be masked under a legitimate process.
Likely telemetry
- Endpoint detection and response events for process, thread, and memory behavior on Windows
- Telemetry for cross-process handle access and thread manipulation
- Events indicating thread suspension, context changes, and resumed execution
- Memory allocation or write activity involving another live process
- Process lineage, command-line, module/DLL load, and image metadata for the apparent victim process
Detection direction
- Validate DET0295-style behavioral analytics for thread suspension and context switching rather than relying only on process names or file signatures.
- Tune detections around unusual cross-process thread and memory activity, especially when a normally trusted process begins unexpected file, network, or child-process behavior.
- Correlate endpoint events with process lineage and privilege context to reduce false positives from legitimate debugging, security tooling, or administrative software.
- Confirm that telemetry is retained long enough for incident response to reconstruct the target process, source process, and timing of injection-like behavior.
- Hunt for this behavior in the broader T1055 Process Injection context, since similar outcomes may appear through related injection methods.
Mitigation priorities
- Use Behavior Prevention on Endpoint (M1040) capabilities that analyze suspicious process behavior, API usage, and endpoint event patterns rather than relying solely on signatures.
- Prioritize Windows endpoint controls that can block or alert on anomalous cross-process memory and thread manipulation.
- Harden and monitor high-value endpoints where successful execution under another process could affect privileged access or critical operations.
- Ensure incident response procedures include memory-aware endpoint triage and do not assume a legitimate process name means legitimate execution.
- Use detections and control evidence as part of compliance readiness where endpoint behavior monitoring and response capability must be demonstrated.
Analyst notes and limits
ATT&CK links this technique to several Windows malware/software entries, including Trojan.Karagany, Gazer, Waterbear, and Pikabot, showing that the behavior is represented in known software reporting. Those relationships should inform threat-informed detection validation, but they do not by themselves prove current exposure or activity in any specific environment.
The official ATT&CK object does not provide a detection section, and the supplied relationship context gives only one detection strategy name and one mitigation category. Local validation is required to determine whether endpoint products expose the necessary thread, memory, and process behavior telemetry and whether legitimate tools create acceptable false positives.
Thread Execution Hijacking
Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.
Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.[1]
This is very similar to Process Hollowing but targets an existing process rather than creating a process in a suspended state.
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055 | Process Injection | This object subtechnique of Process Injection. |
Groups, software, and campaigns
S1145: Pikabot
Pikabot is a backdoor used for initial access and follow-on tool deployment active since early 2023. Pikabot is notable for extensive use of multiple encoding, encryption, and defense evasion mechanisms to evade defenses and avoid analysis. Pikabot has some overlaps with QakBot, but insufficient evidence exists to definitively link these two malware families. Pikabot is frequently used to deploy follow on tools such as Cobalt Strike or ransomware variants.[1][2][3]
S0579: Waterbear
S0168: Gazer
S0094: Trojan.Karagany
Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly. The source code for Trojan.Karagany originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. [1][2][3]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 9543f9915ee6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Elastic Process Injection July 2017
Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
Open source URL -
[2]
mitre-attack T1055.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.