T1055.003 Thread Execution Hijacking Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect Thread Execution Hijacking via SetThreadContext API usage
// Key indicator: SuspendThread + SetThreadContext + ResumeThread on a remote process
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType in ("SetThreadContextApiCall", "CreateRemoteThreadApiCall")
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "csrss.exe", "services.exe", "WerFault.exe", "taskmgr.exe")
| where InitiatingProcessId != ProcessId
| extend IsSuspiciousTarget = FileName in~ ("svchost.exe", "explorer.exe", "ctfmon.exe", "RuntimeBroker.exe", "sihost.exe")
| project Timestamp, DeviceName, AccountName, ActionType,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId,
         FileName, ProcessId, IsSuspiciousTarget
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: OS API Execution Process: Process Access Microsoft Defender for Endpoint

Required Tables

DeviceEvents

False Positives

Debuggers (WinDbg, x64dbg, Visual Studio) using SetThreadContext to modify debuggee thread state
Windows Error Reporting (WerFault.exe) suspending and inspecting crashed process threads
Anti-cheat software suspending and scanning game process threads for integrity
Application crash handlers that suspend threads to generate crash dumps

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10
| where GrantedAccess IN ("0x1FFFFF", "0x001F0FFF", "0x1F3FFF", "0x1F1FFF", "0x143A", "0x1478")
| rename SourceImage as Hijacker, TargetImage as Victim
| search NOT Hijacker IN ("*\\MsMpEng.exe", "*\\csrss.exe", "*\\services.exe", "*\\WerFault.exe", "*\\taskmgr.exe", "*\\WmiPrvSE.exe")
| eval HijackerName=mvindex(split(Hijacker, "\\"), -1)
| eval VictimName=mvindex(split(Victim, "\\"), -1)
| eval ThreadHijackSuspect=if(match(GrantedAccess, "(0x1FFFFF|0x001F0FFF|0x1F3FFF)"), "High - PROCESS_ALL_ACCESS or THREAD_ALL_ACCESS", "Medium - Suspicious access mask")
| table _time, host, User, Hijacker, Victim, GrantedAccess, ThreadHijackSuspect
| sort - _time

critical severity high confidence

Data Sources

Process: Process Access Sysmon Event ID 10

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Debuggers legitimately accessing thread context of debuggee processes
Windows Error Reporting accessing crashed process threads
Anti-cheat software performing thread integrity checks
System management tools inspecting process thread states

Elastic Security (EQL)

eql

sequence by host.id with maxspan=30s
  [process where event.type == "start" and
   process.name != null and
   not process.name in~ ("MsMpEng.exe", "csrss.exe", "services.exe", "WerFault.exe", "taskmgr.exe", "WmiPrvSE.exe")]
  [process where event.action == "process_accessed" and
   process.Ext.api.name in ("SetThreadContext", "ResumeThread", "SuspendThread", "VirtualAllocEx", "WriteProcessMemory") and
   target.process.name in~ ("svchost.exe", "explorer.exe", "ctfmon.exe", "RuntimeBroker.exe", "sihost.exe", "lsass.exe", "winlogon.exe") and
   not process.name in~ ("MsMpEng.exe", "csrss.exe", "services.exe", "WerFault.exe", "taskmgr.exe")]

high severity medium confidence

Data Sources

Elastic Endpoint Security Sysmon via Winlogbeat Elastic Agent with Windows integration

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-*

False Positives

Debuggers and development tools (Visual Studio, WinDbg, x64dbg) legitimately call SetThreadContext and SuspendThread/ResumeThread when debugging applications
Game anti-cheat engines (BattleEye, EasyAntiCheat) use process access APIs for memory scanning and may trigger on access to game launcher processes
Security products performing in-memory scanning or behavioral monitoring may use thread manipulation APIs on monitored processes

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip",
  "username",
  "sourceprocessname" AS hijacker_process,
  "destinationprocessname" AS victim_process,
  "categoryname"(category) AS event_category,
  QIDNAME(qid) AS event_name,
  "Extra" AS additional_fields
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 225)
  AND qid IN (
    SELECT qid FROM qidmap WHERE qname LIKE '%SetThreadContext%'
    UNION
    SELECT qid FROM qidmap WHERE qname LIKE '%CreateRemoteThread%'
    UNION
    SELECT qid FROM qidmap WHERE qname LIKE '%ProcessAccess%'
  )
  AND "sourceprocessname" NOT ILIKE '%MsMpEng%'
  AND "sourceprocessname" NOT ILIKE '%csrss%'
  AND "sourceprocessname" NOT ILIKE '%services.exe%'
  AND "sourceprocessname" NOT ILIKE '%WerFault%'
  AND "sourceprocessname" NOT ILIKE '%taskmgr%'
  AND "sourceprocessname" NOT ILIKE '%WmiPrvSE%'
  AND (
    "destinationprocessname" ILIKE '%svchost%'
    OR "destinationprocessname" ILIKE '%explorer%'
    OR "destinationprocessname" ILIKE '%ctfmon%'
    OR "destinationprocessname" ILIKE '%RuntimeBroker%'
    OR "destinationprocessname" ILIKE '%lsass%'
    OR "destinationprocessname" ILIKE '%winlogon%'
  )
  AND INOFFSET(starttime, -24 HOURS)
ORDER BY starttime DESC
LIMIT 1000

high severity medium confidence

Data Sources

Microsoft Windows Sysmon (QRadar DSM) Microsoft Windows Security Event Log QRadar Endpoint Activity Monitor

Required Tables

events

False Positives

Endpoint detection and response agents that perform process memory inspection may generate process access events to svchost.exe and other system processes during behavioral monitoring
Software deployment tools (SCCM, Ivanti) may inject code into running processes during patching or software installation workflows
Virtualization and containerization software may use thread context manipulation for process isolation and sandboxing capabilities

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" EventID=10
| parse "<SourceImage>*</SourceImage>" as source_image
| parse "<TargetImage>*</TargetImage>" as target_image
| parse "<GrantedAccess>*</GrantedAccess>" as granted_access
| parse "<SourceProcessId>*</SourceProcessId>" as source_pid
| parse "<TargetProcessId>*</TargetProcessId>" as target_pid
| parse "<User>*</User>" as user
| where granted_access in ("0x1FFFFF", "0x001F0FFF", "0x1F3FFF", "0x1F1FFF", "0x143A", "0x1478", "0x40", "0x20")
| where !(source_image matches "*MsMpEng.exe" or source_image matches "*csrss.exe" or source_image matches "*services.exe" or source_image matches "*WerFault.exe" or source_image matches "*taskmgr.exe" or source_image matches "*WmiPrvSE.exe")
| where target_image matches "*svchost.exe" or target_image matches "*explorer.exe" or target_image matches "*ctfmon.exe" or target_image matches "*RuntimeBroker.exe" or target_image matches "*lsass.exe" or target_image matches "*winlogon.exe" or target_image matches "*sihost.exe"
| if(granted_access in ("0x1FFFFF", "0x001F0FFF", "0x1F3FFF"), "High - PROCESS_ALL_ACCESS or THREAD_ALL_ACCESS", "Medium - Suspicious access mask") as hijack_severity
| fields _messageTime, _sourceHost, user, source_image, target_image, granted_access, source_pid, target_pid, hijack_severity
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sysmon via Sumo Logic Windows Agent Sumo Logic Cloud SIEM Enterprise normalized process access events

Required Tables

_sourceCategory=windows/sysmon

False Positives

Legitimate process injection performed by endpoint security solutions for behavioral monitoring — many EDR agents use process access APIs that resemble injection patterns
Just-in-time (JIT) compilers in .NET and Java runtimes may write executable code into memory regions and manipulate thread contexts as part of normal JIT compilation
Remote administration tools (RATs used legitimately, such as TeamViewer or AnyDesk) may perform thread-level operations on target processes during screen sharing or remote control sessions

Google Chronicle / SecOps

yaral

rule thread_execution_hijacking_t1055_003 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Thread Execution Hijacking via suspicious process access with THREAD_ALL_ACCESS or PROCESS_ALL_ACCESS masks targeting high-value system processes"
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    mitre_attack_technique = "T1055.003"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2026-04-18"

  events:
    $e.metadata.event_type = "PROCESS_OPEN"
    $e.principal.process.file.full_path != /(?i)(MsMpEng\.exe|csrss\.exe|services\.exe|WerFault\.exe|taskmgr\.exe|WmiPrvSE\.exe)$/
    (
      $e.target.process.file.full_path = /(?i)(svchost\.exe|explorer\.exe|ctfmon\.exe|RuntimeBroker\.exe|sihost\.exe|lsass\.exe|winlogon\.exe)$/
    )
    (
      $e.security_result.detection_fields["granted_access"] = "0x1FFFFF" or
      $e.security_result.detection_fields["granted_access"] = "0x001F0FFF" or
      $e.security_result.detection_fields["granted_access"] = "0x1F3FFF" or
      $e.security_result.detection_fields["granted_access"] = "0x1F1FFF" or
      $e.security_result.detection_fields["granted_access"] = "0x143A" or
      $e.security_result.detection_fields["granted_access"] = "0x1478"
    )
    $e.principal.process.pid != $e.target.process.pid
    $hostname = $e.principal.hostname

  condition:
    $e
}

high severity medium confidence

Data Sources

Chronicle UDM via Google Workspace forwarding Sysmon logs ingested into Chronicle via forwarder Microsoft Defender for Endpoint via Chronicle integration

Required Tables

UDM events with metadata.event_type = PROCESS_OPEN

False Positives

Antivirus and EDR products routinely open processes with high-privilege access masks for scanning and behavioral monitoring — particularly MDE, CrowdStrike Falcon, and Carbon Black sensors
System administration scripts using Windows Management Instrumentation (WMI) or PSExec to perform remote operations may open processes with broad access masks for legitimate management purposes
Software crash reporting tools and automated test frameworks (like Application Verifier) use process access APIs with high permission levels to capture crash dumps and perform memory analysis

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessAccess
| TargetImageFileName=/(?i)(svchost\.exe|explorer\.exe|ctfmon\.exe|RuntimeBroker\.exe|sihost\.exe|lsass\.exe|winlogon\.exe)$/
| SourceImageFileName!=/(?i)(MsMpEng\.exe|csrss\.exe|services\.exe|WerFault\.exe|taskmgr\.exe|WmiPrvSE\.exe|SenseIR\.exe|SenseCE\.exe)/
| DesiredAccess=/(0x1FFFFF|0x001F0FFF|0x1F3FFF|0x1F1FFF|0x143A|0x1478)/
| SourceProcessId != TargetProcessId
| eval hijack_severity=if(match(DesiredAccess, "(0x1FFFFF|0x001F0FFF|0x1F3FFF)"), "High - PROCESS_ALL_ACCESS", "Medium - Suspicious thread access")
| groupBy([ComputerName, UserName, SourceImageFileName, TargetImageFileName, DesiredAccess, hijack_severity], function=[count(aid, as=event_count), max(timestamp, as=last_seen), min(timestamp, as=first_seen)])
| sort(last_seen, order=desc)
| table([last_seen, first_seen, ComputerName, UserName, SourceImageFileName, TargetImageFileName, DesiredAccess, hijack_severity, event_count])

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessAccess telemetry) Falcon Data Replicator (FDR) process access events

Required Tables

#event_simpleName=ProcessAccess

False Positives

CrowdStrike Falcon sensor itself and other installed EDR products generate ProcessAccess events when performing their own behavioral monitoring and memory scanning activities on system processes
Windows Performance Monitor (perfmon) and diagnostic tools like Process Monitor (procmon) open processes with broad access masks when collecting real-time performance counters and memory statistics
Application compatibility shims and Windows subsystem components may open processes with elevated access masks during application startup, patching, or compatibility layer initialization

Thread Execution Hijacking

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections