Detect Portable Executable Injection in Elastic Security
Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). Unlike DLL injection, PE injection copies the entire executable image into the target process rather than loading a DLL via LoadLibrary. The displacement of the injected code introduces the additional requirement for functionality to remap memory references.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.002 Portable Executable Injection
- Canonical reference
- https://attack.mitre.org/techniques/T1055/002/
Elastic Detection Query
any where event.code == "8"
and (winlog.event_data.StartModule == null or winlog.event_data.StartModule == "")
and not process.executable like~ "*\\MsMpEng.exe"
and not process.executable like~ "*\\csrss.exe"
and not process.executable like~ "*\\services.exe"
and not process.executable like~ "*\\svchost.exe"
and not process.executable like~ "*\\lsass.exe"
and not process.executable like~ "*\\wmiprvse.exe"Detects PE injection via Sysmon Event ID 8 (CreateRemoteThread) where winlog.event_data.StartModule is null or empty, indicating a remote thread was created without a backing DLL — the hallmark of direct PE injection. process.executable maps to the Sysmon SourceImage field via Winlogbeat/Elastic Agent ECS normalization.
Data Sources
Required Tables
False Positives & Tuning
- EDR and AV agents that legitimately create unmapped threads in monitored processes for behavioral hooking (e.g., CrowdStrike Falcon, Carbon Black)
- Software debuggers such as Visual Studio, WinDbg, and x64dbg that create remote threads in attached processes during debugging sessions
- Game anti-cheat engines (EasyAntiCheat, BattlEye, Ricochet) that inject threads into game processes without a corresponding module reference
Other platforms for T1055.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PE Injection via PowerShell with VirtualAllocEx and WriteProcessMemory
Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. If full API chain used: Sysmon Event ID 10 (ProcessAccess) from PowerShell to notepad.exe with PROCESS_VM_WRITE rights. Sysmon Event ID 8 if CreateRemoteThread is called.
- Test 2Shellcode Injection via Donut Framework
Expected signal: When using the full Donut injection: Sysmon Event ID 8 (CreateRemoteThread) with empty StartModule. Sysmon Event ID 10 (ProcessAccess) with PROCESS_ALL_ACCESS. No corresponding Sysmon Event ID 7 (ImageLoad) in the target process.
- Test 3Process Injection using C# System.Diagnostics APIs
Expected signal: Sysmon Event ID 1: csc.exe spawned by PowerShell (compilation). Sysmon Event ID 11: pe_inject_test.exe created in TEMP. Sysmon Event ID 1: pe_inject_test.exe execution. Sysmon Event ID 1: notepad.exe spawned by pe_inject_test.exe.
References (5)
- https://attack.mitre.org/techniques/T1055/002/
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md
- https://github.com/TheWover/donut
- https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
Unlock Pro Content
Get the full detection package for T1055.002 including response playbook, investigation guide, and atomic red team tests.