T1055.001 Dynamic-link Library Injection Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect DLL injection via CreateRemoteThread targeting LoadLibrary
let SuspiciousInjectors = dynamic(["rundll32.exe", "regsvr32.exe", "mshta.exe", "wscript.exe", "cscript.exe", "powershell.exe", "cmd.exe"]);
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "CreateRemoteThreadApiCall"
| project Timestamp, DeviceName, AccountName,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId,
         FileName, ProcessId, ProcessCommandLine
| join kind=leftouter (
    DeviceImageLoadEvents
    | where Timestamp > ago(24h)
    | where FileName !startswith "C:\\Windows\\System32\\"
    | where FileName !startswith "C:\\Windows\\SysWOW64\\"
    | where FileName !startswith "C:\\Program Files"
    | project LoadTime=Timestamp, DeviceName, ProcessId=InitiatingProcessId, LoadedDLL=FileName, SHA256
) on DeviceName, ProcessId
| where isnotempty(LoadedDLL)
| extend SuspiciousSource = InitiatingProcessFileName in~ (SuspiciousInjectors)
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, LoadedDLL, SHA256, SuspiciousSource
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: OS API Execution Module: Module Load Microsoft Defender for Endpoint

Required Tables

DeviceEvents DeviceImageLoadEvents

False Positives

EDR and antivirus products injecting monitoring DLLs (e.g., CrowdStrike csagent.dll, SentinelOne hooks)
Application compatibility framework (apphelp.dll) loading shim DLLs into processes
Software instrumentation tools (AppDynamics, Dynatrace) injecting agent DLLs for APM monitoring
Browser extensions and plugins loading DLLs into browser processes

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=8
| rename SourceImage as InjectorProcess, TargetImage as TargetProcess
| eval InjectorName=mvindex(split(InjectorProcess, "\\"), -1)
| eval TargetName=mvindex(split(TargetProcess, "\\"), -1)
| search NOT InjectorProcess IN ("*\\MsMpEng.exe", "*\\csrss.exe", "*\\services.exe", "*\\lsass.exe")
| join type=left TargetProcessId=TargetProcessId host [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7 NOT (ImageLoaded="C:\\Windows\\System32\\*" OR ImageLoaded="C:\\Windows\\SysWOW64\\*" OR ImageLoaded="C:\\Program Files*")
| rename ProcessId as TargetProcessId, ImageLoaded as InjectedDLL
| fields _time, host, TargetProcessId, InjectedDLL]
| where isnotnull(InjectedDLL)
| table _time, host, User, InjectorProcess, TargetProcess, StartModule, StartFunction, InjectedDLL
| sort - _time

high severity high confidence

Data Sources

Process: OS API Execution Module: Module Load Sysmon Event ID 7 Sysmon Event ID 8

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

EDR and antivirus products performing legitimate DLL injection for process monitoring
Application compatibility shims loading DLLs via apphelp.dll
APM/instrumentation tools injecting agent DLLs into monitored applications
Browser extensions loading plugin DLLs

Elastic Security (EQL)

eql

sequence by host.id with maxspan=60s
  [any where event.provider == "Microsoft-Windows-Sysmon" and event.code == "8" and
   not winlog.event_data.SourceImage : ("*\\MsMpEng.exe", "*\\csrss.exe", "*\\services.exe", "*\\lsass.exe") and
   winlog.event_data.SourceImage : ("*\\rundll32.exe", "*\\regsvr32.exe", "*\\mshta.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\powershell.exe", "*\\cmd.exe")] by winlog.event_data.TargetProcessId
  [any where event.provider == "Microsoft-Windows-Sysmon" and event.code == "7" and
   not winlog.event_data.ImageLoaded : ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Program Files\\*", "C:\\Program Files (x86)\\*")] by winlog.event_data.ProcessId

high severity high confidence

Data Sources

Sysmon operational logs via Winlogbeat or Elastic Agent Windows Event Logs

Required Tables

logs-endpoint.events.* winlogbeat-* logs-windows.*

False Positives

Security tools and EDR agents that legitimately use CreateRemoteThread for inter-process telemetry collection or self-protection hooks
Application performance monitoring agents (Dynatrace, AppDynamics, New Relic) that inject instrumentation DLLs from non-standard install paths into JVM or .NET processes
Software virtualization platforms and guest additions (VMware Tools, VirtualBox additions) that inject monitoring DLLs from custom installation directories

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  hostname,
  username,
  "Source Image" AS InjectorProcess,
  "Target Image" AS TargetProcess,
  "Start Module" AS StartModule,
  "Start Function" AS StartFunction,
  QIDNAME(qid) AS EventName
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) = 25
  AND (eventid = 8 OR LOWER(QIDNAME(qid)) LIKE '%createremotethread%')
  AND "Source Image" NOT ILIKE '%\\MsMpEng.exe'
  AND "Source Image" NOT ILIKE '%\\csrss.exe'
  AND "Source Image" NOT ILIKE '%\\services.exe'
  AND "Source Image" NOT ILIKE '%\\lsass.exe'
  AND (
    LOWER("Source Image") LIKE '%\\rundll32.exe'
    OR LOWER("Source Image") LIKE '%\\regsvr32.exe'
    OR LOWER("Source Image") LIKE '%\\mshta.exe'
    OR LOWER("Source Image") LIKE '%\\wscript.exe'
    OR LOWER("Source Image") LIKE '%\\cscript.exe'
    OR LOWER("Source Image") LIKE '%\\powershell.exe'
    OR LOWER("Source Image") LIKE '%\\cmd.exe'
  )
LAST 24 HOURS
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

Sysmon via Microsoft Windows Security Event Log DSM (LOGSOURCETYPEID 25) Windows Security Event Log

Required Tables

events

False Positives

QRadar environments without Sysmon DSM custom property extensions will not parse Source Image or Target Image fields correctly, producing no results or noisy unparsed output
Legitimate .NET and Java runtimes use CreateRemoteThread-equivalent mechanisms during JIT compilation cross-process operations and remote debugging attachment
Process injection by trusted security products (CrowdStrike, Carbon Black, SentinelOne) for in-process hooking and real-time threat monitoring will match injector process patterns

Sumo Logic CSE

sql

(_sourceCategory=*sysmon* OR _sourceCategory=*windows*) (EventID=8 OR EventCode=8)
| where !(SourceImage matches /(?i)(MsMpEng|csrss|services|lsass)\.exe$/)
| where SourceImage matches /(?i)(rundll32|regsvr32|mshta|wscript|cscript|powershell|cmd)\.exe$/
| parse field=SourceImage "*\\*" as _src_dir, InjectorName
| parse field=TargetImage "*\\*" as _tgt_dir, TargetName
| fields _messageTime, Computer, User, SourceImage, InjectorName, TargetImage, TargetName, StartModule, StartFunction
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon operational logs via Sumo Logic Installed Collector Windows Event Logs

Required Tables

_sourceCategory=*sysmon*

False Positives

Custom in-house software using CreateRemoteThread for inter-process communication between application components deployed from non-standard paths
Electron-based applications and Chromium Embedded Framework apps that spawn renderer processes and inject helper DLLs at launch time
Windows Subsystem for Linux (WSL2) interop shims create cross-process threads in Win32 host processes during Linux binary execution

Google Chronicle / SecOps

yaral

rule dll_injection_createremotethread {
  meta:
    author = "df00tech"
    description = "Detects DLL injection via CreateRemoteThread from suspicious injector processes followed by non-standard DLL load in target process"
    severity = "HIGH"
    mitre_attack = "T1055.001"
    reference = "https://attack.mitre.org/techniques/T1055/001/"

  events:
    $inj.metadata.event_type = "PROCESS_INJECTION"
    re.regex($inj.principal.process.file.full_path,
      `(?i)(rundll32|regsvr32|mshta|wscript|cscript|powershell|cmd)\.exe`)
    not re.regex($inj.principal.process.file.full_path,
      `(?i)(MsMpEng|csrss\.exe|services\.exe|lsass\.exe)`)
    $inj.target.process.file.full_path != ""
    $inj.principal.hostname = $load.principal.hostname

    $load.metadata.event_type = "PROCESS_MODULE_LOAD"
    not re.regex($load.target.file.full_path,
      `(?i)^(c:\\windows\\system32|c:\\windows\\syswow64|c:\\program files)`)
    $load.target.file.full_path != ""

  match:
    $inj.principal.hostname over 1m

  condition:
    #inj > 0 and #load > 0
}

high severity medium confidence

Data Sources

Google Chronicle UDM via Sysmon Chronicle forwarder Microsoft Defender for Endpoint via Chronicle integration Windows Defender ATP alerts forwarded to Chronicle

Required Tables

UDM events with event_type PROCESS_INJECTION and PROCESS_MODULE_LOAD

False Positives

Chronicle UDM normalization may map legitimate COM out-of-process server activation and DDE communication to PROCESS_INJECTION, generating false positives in heavily Office-automated environments
Software updaters, crash reporters (Breakpad, WER), and diagnostic agents that inject tracing DLLs from vendor-specific subdirectories under ProgramData will match the DLL path filter
JVM and CLR runtime environments perform cross-process memory operations during just-in-time compilation and remote profiling that may normalize to PROCESS_INJECTION in UDM

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /InjectedThread|CreateRemoteThreadApiCall/
| SourceImageFileName != /(?i)(MsMpEng|csrss|services|lsass)\.exe/
| SourceImageFileName = /(?i)(rundll32|regsvr32|mshta|wscript|cscript|powershell|cmd)\.exe/
| TargetImageFileName != ""
| groupBy(
    [ComputerName, UserName, SourceImageFileName, TargetImageFileName, StartAddress],
    function=[
      count(as=InjectionCount),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| InjectionCount > 0
| sort(InjectionCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR sensor telemetry LogScale (Humio) Falcon event pipeline

Required Tables

falcon:events (InjectedThread, CreateRemoteThreadApiCall event types)

False Positives

CrowdStrike Falcon sensor self-protection and anti-tamper mechanisms may generate InjectedThread events from Falcon's own processes during sensor health checks
Windows Defender and third-party AV products routinely use CreateRemoteThread during real-time scan hooking and memory scanning operations against running processes
Debugging sessions with WinDbg, Visual Studio, or x64dbg generate CreateRemoteThread events when attaching to or detaching from target processes, which will be captured by the Falcon sensor

Dynamic-link Library Injection

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections