Which SIEM platforms have a T1055 detection rule?

df00tech provides T1055 (Process Injection) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Process Injection (T1055)?

Detecting Process Injection requires the following data sources: Process: Process Access, Process: OS API Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1055 detection?

The T1055 detection is rated high severity with medium confidence.

What are common false positives for T1055?

Common false positives for T1055 include: Endpoint protection products (CrowdStrike, SentinelOne, Carbon Black) injecting DLLs for hooking and monitoring; Application compatibility shims (apphelp.dll) that inject into processes for compatibility fixes; Accessibility tools (screen readers, magnifiers) that inject into processes to read UI state.

T1055

Process Injection

Defense Evasion Privilege Escalation Last updated: April 16, 2026

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.

What is T1055 Process Injection?

Process Injection (T1055) maps to the Defense Evasion and Privilege Escalation tactics — the adversary is trying to avoid being detected in MITRE ATT&CK.

This page provides production-ready detection logic for Process Injection, covering the data sources and telemetry it touches: Process: Process Access, Process: OS API Execution, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Defense Evasion Privilege Escalation
Technique: T1055 Process Injection
Canonical reference: https://attack.mitre.org/techniques/T1055/

Microsoft Sentinel / Defender

kusto

// Broad process injection detection via Sysmon CreateRemoteThread and ProcessAccess
let HighRiskTargets = dynamic(["lsass.exe", "csrss.exe", "winlogon.exe", "services.exe", "svchost.exe", "explorer.exe", "spoolsv.exe"]);
let TrustedSources = dynamic(["MsMpEng.exe", "csrss.exe", "services.exe", "svchost.exe", "lsass.exe", "wmiprvse.exe", "System"]);
// Detection 1: CreateRemoteThread into another process (Sysmon EID 8)
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "CreateRemoteThreadApiCall"
| where InitiatingProcessFileName !in~ (TrustedSources)
| extend TargetIsHighRisk = FileName in~ (HighRiskTargets)
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, TargetIsHighRisk
| sort by Timestamp desc

Detects cross-process CreateRemoteThread API calls using MDE DeviceEvents, which is the primary telemetry for generic process injection. Filters out known trusted OS sources and highlights injection into high-risk system processes like lsass.exe, csrss.exe, and svchost.exe. This is a broad parent detection — sub-technique detections provide more specific coverage.

high severity medium confidence

Data Sources

Process: Process Access Process: OS API Execution Microsoft Defender for Endpoint

Required Tables

DeviceEvents

False Positives

Endpoint protection products (CrowdStrike, SentinelOne, Carbon Black) injecting DLLs for hooking and monitoring
Application compatibility shims (apphelp.dll) that inject into processes for compatibility fixes
Accessibility tools (screen readers, magnifiers) that inject into processes to read UI state
Development tools and debuggers (Visual Studio, x64dbg, WinDbg) attaching to processes during debugging sessions

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username AS UserName,
  "SourceImage" AS SourceProcess,
  "TargetImage" AS TargetProcess,
  "GrantedAccess" AS AccessMask,
  QIDNAME(qid) AS EventName,
  magnitude
FROM events
WHERE
  (
    QIDNAME(qid) ILIKE '%CreateRemoteThread%'
    OR (
      QIDNAME(qid) ILIKE '%ProcessAccess%'
      AND (
        "GrantedAccess" ILIKE '0x1F%'
        OR "GrantedAccess" IN ('0x1FFFFF', '0x001F0FFF', '0x143A')
      )
    )
  )
  AND "SourceImage" NOT ILIKE '%\MsMpEng.exe'
  AND "SourceImage" NOT ILIKE '%\csrss.exe'
  AND "SourceImage" NOT ILIKE '%\services.exe'
  AND "SourceImage" NOT ILIKE '%\svchost.exe'
  AND "SourceImage" NOT ILIKE '%\lsass.exe'
  AND "SourceImage" NOT ILIKE '%\wmiprvse.exe'
  AND (
    "TargetImage" ILIKE '%\lsass.exe'
    OR "TargetImage" ILIKE '%\csrss.exe'
    OR "TargetImage" ILIKE '%\winlogon.exe'
    OR "TargetImage" ILIKE '%\services.exe'
    OR "TargetImage" ILIKE '%\svchost.exe'
    OR "TargetImage" ILIKE '%\explorer.exe'
    OR "TargetImage" ILIKE '%\spoolsv.exe'
  )
  AND LAST 24 HOURS
ORDER BY starttime DESC

IBM QRadar AQL query detecting Sysmon CreateRemoteThread (EID 8) and suspicious ProcessAccess (EID 10) events with high-privilege access masks targeting critical Windows system processes. Requires the QRadar Windows Sysmon DSM to be installed and configured with custom event properties for SourceImage, TargetImage, and GrantedAccess extracted from Sysmon XML payloads.

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Sysmon (via QRadar Sysmon DSM) Microsoft Windows Event Log

Required Tables

events

False Positives

Windows Defender and third-party AV products reading lsass.exe memory with broad access masks for credential protection and threat scanning
Legitimate VSS-aware backup software (Veeam, Acronis) opening handles to critical processes with full access for application-consistent snapshots
Software development and decompilation tools (dotPeek, dnSpy) attaching to .NET processes with PROCESS_ALL_ACCESS for live code analysis
Windows Error Reporting (WerFault.exe) opening handles to crashing processes to collect memory dumps for telemetry reporting

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* (EventID=8 OR EventID=10)
| where EventID = 8 OR (EventID = 10 AND (GrantedAccess matches "0x1F*" OR GrantedAccess in ("0x1FFFFF", "0x001F0FFF", "0x143A")))
| where !(SourceImage matches "*MsMpEng.exe") AND !(SourceImage matches "*csrss.exe") AND !(SourceImage matches "*services.exe") AND !(SourceImage matches "*svchost.exe") AND !(SourceImage matches "*lsass.exe") AND !(SourceImage matches "*wmiprvse.exe")
| where TargetImage matches "*lsass.exe" OR TargetImage matches "*csrss.exe" OR TargetImage matches "*winlogon.exe" OR TargetImage matches "*services.exe" OR TargetImage matches "*svchost.exe" OR TargetImage matches "*explorer.exe" OR TargetImage matches "*spoolsv.exe"
| fields _messageTime, Computer, User, EventID, SourceImage, TargetImage, GrantedAccess
| sort by _messageTime

Sumo Logic query detecting Sysmon CreateRemoteThread (EID 8) and ProcessAccess (EID 10) events with high-privilege access masks targeting critical Windows system processes. Filters trusted AV, OS, and WMI sources. Requires Sysmon logs collected via Sumo Logic Windows collector with source category containing 'windows' and 'sysmon', with Sysmon XML fields parsed (SourceImage, TargetImage, GrantedAccess).

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon (via Sumo Logic collector agent)

Required Tables

Sysmon Operational Event Log (Microsoft-Windows-Sysmon/Operational)

False Positives

CrowdStrike Falcon, Carbon Black, and similar EDR sensors performing routine behavioral monitoring via process handle acquisition on protected processes
Task Manager and Sysinternals Process Explorer opening handles to privileged system processes for memory and CPU usage display when run as SYSTEM
Penetration testing frameworks (Cobalt Strike, Metasploit) legitimately used during authorized red team exercises against isolated test environments
Windows Performance Monitor and ETW-based profiling tools acquiring PROCESS_VM_READ access to sample memory regions of running processes

Google Chronicle / SecOps

yaral

rule t1055_process_injection_high_value_target {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects process injection via CreateRemoteThread or high-privilege ProcessAccess targeting critical Windows processes (MITRE ATT&CK T1055)"
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    mitre_attack_technique = "T1055"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    (
      $e.metadata.event_type = "PROCESS_INJECTION" OR
      (
        $e.metadata.event_type = "PROCESS_OPEN" AND
        (
          $e.additional.fields["GrantedAccess"] = /0x1[Ff][0-9A-Fa-f]{4}/ OR
          $e.additional.fields["GrantedAccess"] = "0x1FFFFF" OR
          $e.additional.fields["GrantedAccess"] = "0x001F0FFF" OR
          $e.additional.fields["GrantedAccess"] = "0x143A"
        )
      )
    )
    NOT $e.principal.process.file.full_path = /(?i)(MsMpEng|csrss|services|svchost|lsass|wmiprvse)\.exe$/
    $e.target.process.file.full_path = /(?i)(lsass|csrss|winlogon|services|svchost|explorer|spoolsv)\.exe$/

  condition:
    $e
}

Google Chronicle YARA-L 2.0 rule detecting process injection targeting high-value Windows processes. Covers Sysmon CreateRemoteThread events mapped to PROCESS_INJECTION UDM type and ProcessAccess events with high-privilege GrantedAccess masks mapped to PROCESS_OPEN. Source process filtering excludes known-safe OS and security tool paths. Requires Sysmon data ingested via Chronicle forwarder with Windows Sysmon UDM parser; GrantedAccess availability in additional.fields depends on parser configuration.

high severity medium confidence

Data Sources

Google Chronicle SIEM Windows Sysmon (via Chronicle forwarder) Chronicle UDM Events

Required Tables

UDM Events

False Positives

Hypervisor guest integration tools (VMware Tools, VirtualBox Guest Additions) performing PROCESS_OPEN operations on Windows host processes for memory sharing and clipboard integration
Windows Subsystem for Linux (WSL2) infrastructure components acquiring broad process handles to Windows-side processes for file system and network bridging
Application performance management agents (Dynatrace OneAgent, New Relic) injecting profiling bytecode into monitored processes at runtime
Endpoint protection platforms performing memory forensics via PROCESS_VM_READ on critical processes as part of live incident response or threat hunting workflows

Sigma rule & cross-platform mapping

The detection logic for Process Injection (T1055) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1055 Sigma rules on detection.fyi

Platform-specific guides for T1055

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-16 Research depth: deep

References (6)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1CreateRemoteThread DLL Injection via PowerShell
Expected signal: Sysmon Event ID 1: Process Create for notepad.exe spawned by PowerShell. If using the full injection API chain, Sysmon Event ID 8 (CreateRemoteThread) and Event ID 10 (ProcessAccess) will fire for the cross-process interaction.
Test 2Process Injection via Mavinject
Expected signal: Sysmon Event ID 1: Process Create for mavinject.exe with /INJECTRUNNING argument. Sysmon Event ID 8: CreateRemoteThread from mavinject.exe to the target. Sysmon Event ID 7: ImageLoad of the injected DLL in the target process.
Test 3Ptrace-based Process Injection on Linux
Expected signal: auditd: PTRACE syscall logged with type=SYSCALL and a]0=PTRACE_ATTACH. Syslog may show process attachment events. /proc/[pid]/status will show TracerPid set to the strace PID.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1055 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0005Defense Evasion TA0004Privilege Escalation

Sub-techniques (12)

Related Techniques

T1055.001Dynamic-link Library Injection T1055.002Portable Executable Injection T1055.003Thread Execution Hijacking T1055.004Asynchronous Procedure Call T1055.012Process Hollowing T1003OS Credential Dumping T1134Access Token Manipulation T1027.011Fileless Storage

Process Injection

What is T1055 Process Injection?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1055

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Sub-techniques (12)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

What is T1055 Process Injection?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1055

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Sub-techniques (12)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox