Portable Executable Injection

// Detect PE injection via cross-process memory allocation and thread creation
// Focus on processes that allocate RWX memory in remote processes
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "CreateRemoteThreadApiCall"
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "csrss.exe", "services.exe", "svchost.exe", "lsass.exe", "wmiprvse.exe")
| join kind=leftouter (
    DeviceImageLoadEvents
    | where Timestamp > ago(24h)
    | project LoadTime=Timestamp, DeviceName, ProcessId=InitiatingProcessId, LoadedModule=FileName
) on DeviceName, $left.ProcessId == $right.ProcessId
| where isempty(LoadedModule) or LoadedModule == ""
| extend InjectionType = "PE Injection (no DLL load - direct code injection)"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InjectionType
| sort by Timestamp desc

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=8
| rename SourceImage as Injector, TargetImage as Target
| search NOT Injector IN ("*\\MsMpEng.exe", "*\\csrss.exe", "*\\services.exe", "*\\svchost.exe", "*\\lsass.exe")
| eval InjectorName=mvindex(split(Injector, "\\"), -1)
| eval TargetName=mvindex(split(Target, "\\"), -1)
| eval StartModulePresent=if(isnotnull(StartModule) AND StartModule!="", "Yes", "No")
| where StartModulePresent="No"
| eval PEInjectionIndicator="CreateRemoteThread with no StartModule (direct code injection)"
| table _time, host, User, Injector, Target, StartModule, StartFunction, StartAddress, PEInjectionIndicator
| sort - _time

any where event.code == "8"
  and (winlog.event_data.StartModule == null or winlog.event_data.StartModule == "")
  and not process.executable like~ "*\\MsMpEng.exe"
  and not process.executable like~ "*\\csrss.exe"
  and not process.executable like~ "*\\services.exe"
  and not process.executable like~ "*\\svchost.exe"
  and not process.executable like~ "*\\lsass.exe"
  and not process.executable like~ "*\\wmiprvse.exe"

SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS Category,
  sourceip AS SourceIP,
  username AS User,
  "SourceImage" AS InjectorProcess,
  "TargetImage" AS TargetProcess,
  "StartModule" AS StartModule,
  "StartAddress" AS StartAddress,
  "StartFunction" AS StartFunction
FROM events
WHERE LOGSOURCENAME(logsourceid) ILIKE '%sysmon%'
  AND QIDNAME(qid) LIKE '%CreateRemoteThread%'
  AND ("StartModule" IS NULL OR "StartModule" = '')
  AND "SourceImage" NOT ILIKE '%MsMpEng.exe'
  AND "SourceImage" NOT ILIKE '%csrss.exe'
  AND "SourceImage" NOT ILIKE '%services.exe'
  AND "SourceImage" NOT ILIKE '%svchost.exe'
  AND "SourceImage" NOT ILIKE '%lsass.exe'
  AND "SourceImage" NOT ILIKE '%wmiprvse.exe'
ORDER BY starttime DESC
LAST 24 HOURS

_sourceCategory=*sysmon* EventCode=8
| where !(SourceImage matches "*MsMpEng.exe")
| where !(SourceImage matches "*csrss.exe")
| where !(SourceImage matches "*services.exe")
| where !(SourceImage matches "*svchost.exe")
| where !(SourceImage matches "*lsass.exe")
| where !(SourceImage matches "*wmiprvse.exe")
| where isNull(StartModule) OR StartModule=""
| "CreateRemoteThread with empty StartModule — direct PE injection suspected" as PEInjectionIndicator
| fields _messageTime, Computer, User, SourceImage, TargetImage, StartAddress, StartFunction, PEInjectionIndicator
| sort by _messageTime desc

rule pe_injection_create_remote_thread_no_module {
  meta:
    author = "Detection Engineering"
    description = "Detects PE injection via Sysmon CreateRemoteThread (Event 8) with no StartModule, indicating direct code injection into a remote process"
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    mitre_attack_technique = "T1055.002"
    severity = "CRITICAL"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1055/002/"

  events:
    $e.metadata.product_event_type = "8"
    re.regex($e.metadata.product_name, `(?i)sysmon`)
    not re.regex($e.principal.process.file.full_path,
      `(?i)(MsMpEng|csrss|services|svchost|lsass|wmiprvse)\.exe$`)
    $e.about.labels["StartModule"] = ""

  condition:
    $e
}

#event_simpleName=CreateRemoteThread
| SourceFileName != "MsMpEng.exe"
| SourceFileName != "csrss.exe"
| SourceFileName != "services.exe"
| SourceFileName != "svchost.exe"
| SourceFileName != "lsass.exe"
| SourceFileName != "wmiprvse.exe"
| not StartModule = /.+/
| StartModule := "(absent — PE injection indicator)"
| table([_timestamp, ComputerName, UserName, SourceProcessId, SourceFileName, TargetProcessId, TargetFileName, StartAddress, StartModule])
| sort(field=_timestamp, order=desc)