Detecting T1055 Process Injection With Sysmon | Skills Pool
Skill ファイル
Detecting T1055 Process Injection With Sysmon
Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection by analyzing Sysmon events for cross-process memory operations, remote thread creation, and anomalous DLL loading patterns.
Event ID 8 (CreateRemoteThread) enabled for remote thread detection
Event ID 10 (ProcessAccess) configured with appropriate access mask filters
Event ID 7 (ImageLoaded) for DLL injection detection
Event ID 25 (ProcessTampering) for process hollowing on Sysmon 13+
SIEM platform for correlation and alerting
Workflow
Monitor CreateRemoteThread (Event 8): Detect when one process creates a thread in another process's address space. This is the primary indicator of classic DLL injection and shellcode injection.
関連 Skill
Analyze ProcessAccess (Event 10): Track cross-process handle requests with PROCESS_VM_WRITE (0x0020), PROCESS_VM_OPERATION (0x0008), and PROCESS_CREATE_THREAD (0x0002) access rights. Legitimate processes rarely need these on other processes.
Detect Anomalous DLL Loading (Event 7): Identify DLLs loaded from unusual paths (user temp directories, download folders) into system processes.
Hunt Process Hollowing (Event 25): Sysmon 13+ generates ProcessTampering events when the executable image in memory diverges from what was mapped from disk -- a hallmark of process hollowing (T1055.012).
Correlate with Process Creation: Link injection events to the originating process creation (Event 1) to build the full attack chain from initial execution to injection.
Filter Known-Good Cross-Process Activity: Exclude legitimate software that performs cross-process operations (debuggers, AV products, accessibility tools, RMM agents).
Map to ATT&CK Sub-Techniques: Classify detected injection as classic injection (T1055.001), PE injection (T1055.002), thread execution hijacking (T1055.003), APC injection (T1055.004), thread local storage (T1055.005), process hollowing (T1055.012), or process doppelganging (T1055.013).
Key Concepts
Concept
Description
T1055.001
Dynamic-link Library Injection
T1055.002
Portable Executable Injection
T1055.003
Thread Execution Hijacking
T1055.004
Asynchronous Procedure Call (APC) Injection
T1055.005
Thread Local Storage
T1055.012
Process Hollowing
T1055.013
Process Doppelganging
T1055.015
ListPlanting
Sysmon Event 8
CreateRemoteThread detected
Sysmon Event 10
ProcessAccess with memory write permissions
Sysmon Event 25
ProcessTampering (image mismatch)
Access Mask 0x1FFFFF
PROCESS_ALL_ACCESS -- full cross-process control
Tools & Systems
Tool
Purpose
Sysmon
Primary telemetry source for injection detection
Process Hacker
Manual investigation of process memory regions
PE-sieve
Scan running processes for hollowed/injected code
Moneta
Detect anomalous memory regions in processes
Splunk / Elastic
SIEM correlation of Sysmon events
Volatility
Memory forensics for injection artifacts
Hollows Hunter
Automated scan for hollowed processes
Detection Queries
Splunk -- Remote Thread Creation
index=sysmon EventCode=8
| where SourceImage!=TargetImage
| where NOT match(SourceImage, "(?i)(csrss|lsass|services|svchost|MsMpEng|SecurityHealthService|vmtoolsd)\.exe$")
| eval suspicious=if(match(TargetImage, "(?i)(svchost|explorer|lsass|winlogon|csrss|services)\.exe$"), "high_value_target", "normal_target")
| where suspicious="high_value_target"
| table _time Computer SourceImage SourceProcessId TargetImage TargetProcessId StartFunction NewThreadId
Splunk -- Suspicious ProcessAccess Patterns
index=sysmon EventCode=10
| where SourceImage!=TargetImage
| where match(GrantedAccess, "(0x1FFFFF|0x1F3FFF|0x143A|0x0040)")
| where match(TargetImage, "(?i)(lsass|svchost|explorer|winlogon)\.exe$")
| where NOT match(SourceImage, "(?i)(MsMpEng|csrss|services|svchost|taskmgr|procexp)\.exe$")
| table _time Computer SourceImage TargetImage GrantedAccess CallTrace
KQL -- Process Injection via Remote Thread
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "CreateRemoteThreadApiCall"
| where InitiatingProcessFileName !in~ ("csrss.exe", "lsass.exe", "services.exe", "svchost.exe")
| where FileName in~ ("svchost.exe", "explorer.exe", "lsass.exe", "winlogon.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
FileName, ProcessCommandLine