INJ-THREAD-HIJACKDefense Evasion

Thread Execution Hijack

SuspendThread + SetThreadContext + ResumeThread to redirect EIP/RIP — classic injection, well-detected but still useful as a primitive.

§ Where this technique fits

INJ-THREAD-HIJACK is catalogued under the Defense Evasion tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 5 on average.

§ Dossiers chaining this technique

Process hollowing → run beacon in svchost shell
Spawn svchost.exe suspended, unmap its image, write attacker PE into the same address space, resume — the process keeps a legit-looking PEB and command line but executes beacon code.
step 5 / 6

§ What commonly comes next

01
Application Layer Protocol
T1071 · Command and Control
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Process hollowing → run beacon in svchost shell

§ What commonly comes next