T1055.001 Google Chronicle · YARA-L

Detect Dynamic-link Library Injection in Google Chronicle

Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). Variations include reflective DLL injection (self-mapping DLL), memory module loading, and Module Stomping/DLL Hollowing where a legitimate DLL is loaded then its AddressOfEntryPoint is overwritten before execution.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.001 Dynamic-link Library Injection
Canonical reference
https://attack.mitre.org/techniques/T1055/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule dll_injection_createremotethread {
  meta:
    author = "df00tech"
    description = "Detects DLL injection via CreateRemoteThread from suspicious injector processes followed by non-standard DLL load in target process"
    severity = "HIGH"
    mitre_attack = "T1055.001"
    reference = "https://attack.mitre.org/techniques/T1055/001/"

  events:
    $inj.metadata.event_type = "PROCESS_INJECTION"
    re.regex($inj.principal.process.file.full_path,
      `(?i)(rundll32|regsvr32|mshta|wscript|cscript|powershell|cmd)\.exe`)
    not re.regex($inj.principal.process.file.full_path,
      `(?i)(MsMpEng|csrss\.exe|services\.exe|lsass\.exe)`)
    $inj.target.process.file.full_path != ""
    $inj.principal.hostname = $load.principal.hostname

    $load.metadata.event_type = "PROCESS_MODULE_LOAD"
    not re.regex($load.target.file.full_path,
      `(?i)^(c:\\windows\\system32|c:\\windows\\syswow64|c:\\program files)`)
    $load.target.file.full_path != ""

  match:
    $inj.principal.hostname over 1m

  condition:
    #inj > 0 and #load > 0
}
high severity medium confidence

Chronicle YARA-L 2.0 rule that correlates PROCESS_INJECTION UDM events from known-abused injector processes with PROCESS_MODULE_LOAD events for DLLs outside of trusted system directories. Both events must occur on the same host within a 1-minute window.

Data Sources

Google Chronicle UDM via Sysmon Chronicle forwarderMicrosoft Defender for Endpoint via Chronicle integrationWindows Defender ATP alerts forwarded to Chronicle

Required Tables

UDM events with event_type PROCESS_INJECTION and PROCESS_MODULE_LOAD

False Positives & Tuning

  • Chronicle UDM normalization may map legitimate COM out-of-process server activation and DDE communication to PROCESS_INJECTION, generating false positives in heavily Office-automated environments
  • Software updaters, crash reporters (Breakpad, WER), and diagnostic agents that inject tracing DLLs from vendor-specific subdirectories under ProgramData will match the DLL path filter
  • JVM and CLR runtime environments perform cross-process memory operations during just-in-time compilation and remote profiling that may normalize to PROCESS_INJECTION in UDM
Download portable Sigma rule (.yml)

Other platforms for T1055.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DLL Injection via mavinject.exe (LOLBAS)

    Expected signal: Sysmon Event ID 1: Process Create for mavinject.exe with CommandLine containing /INJECTRUNNING. Sysmon Event ID 8: CreateRemoteThread from mavinject.exe targeting notepad.exe. Sysmon Event ID 7: ImageLoad of amsi.dll in notepad.exe process.

  2. Test 2Reflective DLL Injection via PowerSploit Invoke-DllInjection

    Expected signal: Sysmon Event ID 1: PowerShell process creation. Sysmon Event ID 3: Network connection to raw.githubusercontent.com. Sysmon Event ID 8: CreateRemoteThread from PowerShell to notepad.exe. PowerShell ScriptBlock Log Event ID 4104 with Invoke-DllInjection content.

  3. Test 3CreateRemoteThread DLL Injection via C# Executable

    Expected signal: Sysmon Event ID 1: Process Create for csc.exe (C# compiler) spawned by PowerShell. Sysmon Event ID 1: injector_test.exe execution. Sysmon Event ID 11: File Create for injector_test.exe in TEMP. If full injection is performed: Sysmon Event ID 8 for CreateRemoteThread.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1055.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.002Portable Executable InjectionT1574.001DLLT1574.002DLL Side-LoadingT1218.011Rundll32T1003.001LSASS MemoryT1027.011Fileless Storage

Same Tactic: Defense Evasion

Popular Detections