T1055.002 IBM QRadar · QRadar

Detect Portable Executable Injection in IBM QRadar

Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). Unlike DLL injection, PE injection copies the entire executable image into the target process rather than loading a DLL via LoadLibrary. The displacement of the injected code introduces the additional requirement for functionality to remap memory references.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.002 Portable Executable Injection
Canonical reference
https://attack.mitre.org/techniques/T1055/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS Category,
  sourceip AS SourceIP,
  username AS User,
  "SourceImage" AS InjectorProcess,
  "TargetImage" AS TargetProcess,
  "StartModule" AS StartModule,
  "StartAddress" AS StartAddress,
  "StartFunction" AS StartFunction
FROM events
WHERE LOGSOURCENAME(logsourceid) ILIKE '%sysmon%'
  AND QIDNAME(qid) LIKE '%CreateRemoteThread%'
  AND ("StartModule" IS NULL OR "StartModule" = '')
  AND "SourceImage" NOT ILIKE '%MsMpEng.exe'
  AND "SourceImage" NOT ILIKE '%csrss.exe'
  AND "SourceImage" NOT ILIKE '%services.exe'
  AND "SourceImage" NOT ILIKE '%svchost.exe'
  AND "SourceImage" NOT ILIKE '%lsass.exe'
  AND "SourceImage" NOT ILIKE '%wmiprvse.exe'
ORDER BY starttime DESC
LAST 24 HOURS
critical severity medium confidence

IBM QRadar AQL query detecting PE injection via Sysmon CreateRemoteThread events where the StartModule custom property is null or empty. Relies on a Sysmon DSM (built-in or custom) that parses SourceImage, TargetImage, StartModule, StartAddress, and StartFunction as QRadar custom event properties. Filter LOGSOURCENAME ILIKE '%sysmon%' scopes to Sysmon log sources; adjust to match your environment's log source naming convention.

Data Sources

Microsoft Windows Sysmon via QRadar DSMWindows Event Log forwarded to QRadar

Required Tables

events (QRadar AQL events table with Sysmon custom properties)

False Positives & Tuning

  • Legitimate endpoint security products performing injection-based API hooking may create remote threads without populating StartModule in the parsed DSM output
  • JIT compilers and managed runtimes (.NET CLR, Java JVM) that create threads via NtCreateThreadEx in the host process space without a module path
  • Software DRM and copy-protection systems (e.g., Denuvo) that spawn enforcement threads in protected application processes without a discoverable module reference
Download portable Sigma rule (.yml)

Other platforms for T1055.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PE Injection via PowerShell with VirtualAllocEx and WriteProcessMemory

    Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. If full API chain used: Sysmon Event ID 10 (ProcessAccess) from PowerShell to notepad.exe with PROCESS_VM_WRITE rights. Sysmon Event ID 8 if CreateRemoteThread is called.

  2. Test 2Shellcode Injection via Donut Framework

    Expected signal: When using the full Donut injection: Sysmon Event ID 8 (CreateRemoteThread) with empty StartModule. Sysmon Event ID 10 (ProcessAccess) with PROCESS_ALL_ACCESS. No corresponding Sysmon Event ID 7 (ImageLoad) in the target process.

  3. Test 3Process Injection using C# System.Diagnostics APIs

    Expected signal: Sysmon Event ID 1: csc.exe spawned by PowerShell (compilation). Sysmon Event ID 11: pe_inject_test.exe created in TEMP. Sysmon Event ID 1: pe_inject_test.exe execution. Sysmon Event ID 1: notepad.exe spawned by pe_inject_test.exe.

Last updated: 2026-04-16 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.001Dynamic-link Library InjectionT1055.012Process HollowingT1055.003Thread Execution HijackingT1027.011Fileless StorageT1106Native API

Same Tactic: Defense Evasion

Popular Detections