Process Injection

// Broad process injection detection via Sysmon CreateRemoteThread and ProcessAccess
let HighRiskTargets = dynamic(["lsass.exe", "csrss.exe", "winlogon.exe", "services.exe", "svchost.exe", "explorer.exe", "spoolsv.exe"]);
let TrustedSources = dynamic(["MsMpEng.exe", "csrss.exe", "services.exe", "svchost.exe", "lsass.exe", "wmiprvse.exe", "System"]);
// Detection 1: CreateRemoteThread into another process (Sysmon EID 8)
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "CreateRemoteThreadApiCall"
| where InitiatingProcessFileName !in~ (TrustedSources)
| extend TargetIsHighRisk = FileName in~ (HighRiskTargets)
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, TargetIsHighRisk
| sort by Timestamp desc

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=8 OR EventCode=10)
| eval is_remote_thread=if(EventCode=8, 1, 0)
| eval is_process_access=if(EventCode=10 AND (match(GrantedAccess, "0x1F[0-9A-Fa-f]{4}") OR GrantedAccess="0x1FFFFF" OR GrantedAccess="0x001F0FFF" OR GrantedAccess="0x143A"), 1, 0)
| where is_remote_thread=1 OR is_process_access=1
| eval SourceProcess=coalesce(SourceImage, Image)
| eval TargetProcess=coalesce(TargetImage, Image)
| search NOT SourceProcess IN ("*\\MsMpEng.exe", "*\\csrss.exe", "*\\services.exe", "*\\svchost.exe", "*\\lsass.exe")
| eval HighRiskTarget=if(match(TargetProcess, "(?i)(lsass|csrss|winlogon|services|svchost|explorer)\.exe$"), "Yes", "No")
| table _time, host, User, EventCode, SourceProcess, TargetProcess, GrantedAccess, HighRiskTarget
| sort - _time

any where event.module == "sysmon" and
  event.code in ("8", "10") and
  not winlog.event_data.SourceImage like~ ("*\\MsMpEng.exe", "*\\csrss.exe", "*\\services.exe", "*\\svchost.exe", "*\\lsass.exe", "*\\wmiprvse.exe") and
  (
    event.code == "8" or
    (
      event.code == "10" and
      winlog.event_data.GrantedAccess in ("0x1FFFFF", "0x001F0FFF", "0x143A", "0x1F0FFF", "0x1F3FFF")
    )
  ) and
  winlog.event_data.TargetImage like~ ("*\\lsass.exe", "*\\csrss.exe", "*\\winlogon.exe", "*\\services.exe", "*\\svchost.exe", "*\\explorer.exe", "*\\spoolsv.exe")

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username AS UserName,
  "SourceImage" AS SourceProcess,
  "TargetImage" AS TargetProcess,
  "GrantedAccess" AS AccessMask,
  QIDNAME(qid) AS EventName,
  magnitude
FROM events
WHERE
  (
    QIDNAME(qid) ILIKE '%CreateRemoteThread%'
    OR (
      QIDNAME(qid) ILIKE '%ProcessAccess%'
      AND (
        "GrantedAccess" ILIKE '0x1F%'
        OR "GrantedAccess" IN ('0x1FFFFF', '0x001F0FFF', '0x143A')
      )
    )
  )
  AND "SourceImage" NOT ILIKE '%\MsMpEng.exe'
  AND "SourceImage" NOT ILIKE '%\csrss.exe'
  AND "SourceImage" NOT ILIKE '%\services.exe'
  AND "SourceImage" NOT ILIKE '%\svchost.exe'
  AND "SourceImage" NOT ILIKE '%\lsass.exe'
  AND "SourceImage" NOT ILIKE '%\wmiprvse.exe'
  AND (
    "TargetImage" ILIKE '%\lsass.exe'
    OR "TargetImage" ILIKE '%\csrss.exe'
    OR "TargetImage" ILIKE '%\winlogon.exe'
    OR "TargetImage" ILIKE '%\services.exe'
    OR "TargetImage" ILIKE '%\svchost.exe'
    OR "TargetImage" ILIKE '%\explorer.exe'
    OR "TargetImage" ILIKE '%\spoolsv.exe'
  )
  AND LAST 24 HOURS
ORDER BY starttime DESC

_sourceCategory=*windows*sysmon* (EventID=8 OR EventID=10)
| where EventID = 8 OR (EventID = 10 AND (GrantedAccess matches "0x1F*" OR GrantedAccess in ("0x1FFFFF", "0x001F0FFF", "0x143A")))
| where !(SourceImage matches "*MsMpEng.exe") AND !(SourceImage matches "*csrss.exe") AND !(SourceImage matches "*services.exe") AND !(SourceImage matches "*svchost.exe") AND !(SourceImage matches "*lsass.exe") AND !(SourceImage matches "*wmiprvse.exe")
| where TargetImage matches "*lsass.exe" OR TargetImage matches "*csrss.exe" OR TargetImage matches "*winlogon.exe" OR TargetImage matches "*services.exe" OR TargetImage matches "*svchost.exe" OR TargetImage matches "*explorer.exe" OR TargetImage matches "*spoolsv.exe"
| fields _messageTime, Computer, User, EventID, SourceImage, TargetImage, GrantedAccess
| sort by _messageTime

rule t1055_process_injection_high_value_target {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects process injection via CreateRemoteThread or high-privilege ProcessAccess targeting critical Windows processes (MITRE ATT&CK T1055)"
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    mitre_attack_technique = "T1055"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    (
      $e.metadata.event_type = "PROCESS_INJECTION" OR
      (
        $e.metadata.event_type = "PROCESS_OPEN" AND
        (
          $e.additional.fields["GrantedAccess"] = /0x1[Ff][0-9A-Fa-f]{4}/ OR
          $e.additional.fields["GrantedAccess"] = "0x1FFFFF" OR
          $e.additional.fields["GrantedAccess"] = "0x001F0FFF" OR
          $e.additional.fields["GrantedAccess"] = "0x143A"
        )
      )
    )
    NOT $e.principal.process.file.full_path = /(?i)(MsMpEng|csrss|services|svchost|lsass|wmiprvse)\.exe$/
    $e.target.process.file.full_path = /(?i)(lsass|csrss|winlogon|services|svchost|explorer|spoolsv)\.exe$/

  condition:
    $e
}

(#event_simpleName = "CreateRemoteThread" OR #event_simpleName = "ProcessInjection" OR #event_simpleName = "InjectionCode")
| SourceFileName != /(?i)(MsMpEng|csrss|services|svchost|lsass|wmiprvse)\.exe/
| TargetFileName = /(?i)(lsass|csrss|winlogon|services|svchost|explorer|spoolsv)\.exe/
| HighRiskTarget := "Yes"
| sort(field=@timestamp, order=desc, limit=500)
| table(@timestamp, ComputerName, UserSid, SourceFileName, SourceCommandLine, TargetFileName, HighRiskTarget)