Detect Portable Executable Injection in Splunk
Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). Unlike DLL injection, PE injection copies the entire executable image into the target process rather than loading a DLL via LoadLibrary. The displacement of the injected code introduces the additional requirement for functionality to remap memory references.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.002 Portable Executable Injection
- Canonical reference
- https://attack.mitre.org/techniques/T1055/002/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=8
| rename SourceImage as Injector, TargetImage as Target
| search NOT Injector IN ("*\\MsMpEng.exe", "*\\csrss.exe", "*\\services.exe", "*\\svchost.exe", "*\\lsass.exe")
| eval InjectorName=mvindex(split(Injector, "\\"), -1)
| eval TargetName=mvindex(split(Target, "\\"), -1)
| eval StartModulePresent=if(isnotnull(StartModule) AND StartModule!="", "Yes", "No")
| where StartModulePresent="No"
| eval PEInjectionIndicator="CreateRemoteThread with no StartModule (direct code injection)"
| table _time, host, User, Injector, Target, StartModule, StartFunction, StartAddress, PEInjectionIndicator
| sort - _timeDetects PE injection by identifying Sysmon Event ID 8 (CreateRemoteThread) where the StartModule field is empty, indicating the remote thread's start address does not map to a loaded module. This is a strong indicator of direct code/shellcode injection rather than DLL-based injection via LoadLibrary.
Data Sources
Required Sourcetypes
False Positives & Tuning
- EDR agents using shellcode-based hooks in monitored processes
- .NET CLR dynamically compiling and injecting JIT code
- Anti-cheat software injecting integrity checking code
- Windows Error Reporting (WerFault.exe) creating threads in crashed processes
Other platforms for T1055.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PE Injection via PowerShell with VirtualAllocEx and WriteProcessMemory
Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. If full API chain used: Sysmon Event ID 10 (ProcessAccess) from PowerShell to notepad.exe with PROCESS_VM_WRITE rights. Sysmon Event ID 8 if CreateRemoteThread is called.
- Test 2Shellcode Injection via Donut Framework
Expected signal: When using the full Donut injection: Sysmon Event ID 8 (CreateRemoteThread) with empty StartModule. Sysmon Event ID 10 (ProcessAccess) with PROCESS_ALL_ACCESS. No corresponding Sysmon Event ID 7 (ImageLoad) in the target process.
- Test 3Process Injection using C# System.Diagnostics APIs
Expected signal: Sysmon Event ID 1: csc.exe spawned by PowerShell (compilation). Sysmon Event ID 11: pe_inject_test.exe created in TEMP. Sysmon Event ID 1: pe_inject_test.exe execution. Sysmon Event ID 1: notepad.exe spawned by pe_inject_test.exe.
References (5)
- https://attack.mitre.org/techniques/T1055/002/
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md
- https://github.com/TheWover/donut
- https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
Unlock Pro Content
Get the full detection package for T1055.002 including response playbook, investigation guide, and atomic red team tests.