Detect Dynamic-link Library Injection in Sumo Logic CSE
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). Variations include reflective DLL injection (self-mapping DLL), memory module loading, and Module Stomping/DLL Hollowing where a legitimate DLL is loaded then its AddressOfEntryPoint is overwritten before execution.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.001 Dynamic-link Library Injection
- Canonical reference
- https://attack.mitre.org/techniques/T1055/001/
Sumo Detection Query
(_sourceCategory=*sysmon* OR _sourceCategory=*windows*) (EventID=8 OR EventCode=8)
| where !(SourceImage matches /(?i)(MsMpEng|csrss|services|lsass)\.exe$/)
| where SourceImage matches /(?i)(rundll32|regsvr32|mshta|wscript|cscript|powershell|cmd)\.exe$/
| parse field=SourceImage "*\\*" as _src_dir, InjectorName
| parse field=TargetImage "*\\*" as _tgt_dir, TargetName
| fields _messageTime, Computer, User, SourceImage, InjectorName, TargetImage, TargetName, StartModule, StartFunction
| sort by _messageTime descDetects Sysmon Event 8 (CreateRemoteThread) in Sumo Logic by filtering for known injector process names while excluding trusted system processes. Parses human-readable process names from full image paths for easier triage and dashboard display.
Data Sources
Required Tables
False Positives & Tuning
- Custom in-house software using CreateRemoteThread for inter-process communication between application components deployed from non-standard paths
- Electron-based applications and Chromium Embedded Framework apps that spawn renderer processes and inject helper DLLs at launch time
- Windows Subsystem for Linux (WSL2) interop shims create cross-process threads in Win32 host processes during Linux binary execution
Other platforms for T1055.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DLL Injection via mavinject.exe (LOLBAS)
Expected signal: Sysmon Event ID 1: Process Create for mavinject.exe with CommandLine containing /INJECTRUNNING. Sysmon Event ID 8: CreateRemoteThread from mavinject.exe targeting notepad.exe. Sysmon Event ID 7: ImageLoad of amsi.dll in notepad.exe process.
- Test 2Reflective DLL Injection via PowerSploit Invoke-DllInjection
Expected signal: Sysmon Event ID 1: PowerShell process creation. Sysmon Event ID 3: Network connection to raw.githubusercontent.com. Sysmon Event ID 8: CreateRemoteThread from PowerShell to notepad.exe. PowerShell ScriptBlock Log Event ID 4104 with Invoke-DllInjection content.
- Test 3CreateRemoteThread DLL Injection via C# Executable
Expected signal: Sysmon Event ID 1: Process Create for csc.exe (C# compiler) spawned by PowerShell. Sysmon Event ID 1: injector_test.exe execution. Sysmon Event ID 11: File Create for injector_test.exe in TEMP. If full injection is performed: Sysmon Event ID 8 for CreateRemoteThread.
References (7)
- https://attack.mitre.org/techniques/T1055/001/
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://www.endgame.com/blog/technical-blog/hunting-memory
- https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/
- https://www.ired.team/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md
- https://lolbas-project.github.io/lolbas/Binaries/Mavinject/
Unlock Pro Content
Get the full detection package for T1055.001 including response playbook, investigation guide, and atomic red team tests.