T1055.003 Google Chronicle · YARA-L

Detect Thread Execution Hijacking in Google Chronicle

Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread, VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively. This is very similar to Process Hollowing but targets an existing process rather than creating a process in a suspended state.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.003 Thread Execution Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1055/003/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule thread_execution_hijacking_t1055_003 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Thread Execution Hijacking via suspicious process access with THREAD_ALL_ACCESS or PROCESS_ALL_ACCESS masks targeting high-value system processes"
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    mitre_attack_technique = "T1055.003"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2026-04-18"

  events:
    $e.metadata.event_type = "PROCESS_OPEN"
    $e.principal.process.file.full_path != /(?i)(MsMpEng\.exe|csrss\.exe|services\.exe|WerFault\.exe|taskmgr\.exe|WmiPrvSE\.exe)$/
    (
      $e.target.process.file.full_path = /(?i)(svchost\.exe|explorer\.exe|ctfmon\.exe|RuntimeBroker\.exe|sihost\.exe|lsass\.exe|winlogon\.exe)$/
    )
    (
      $e.security_result.detection_fields["granted_access"] = "0x1FFFFF" or
      $e.security_result.detection_fields["granted_access"] = "0x001F0FFF" or
      $e.security_result.detection_fields["granted_access"] = "0x1F3FFF" or
      $e.security_result.detection_fields["granted_access"] = "0x1F1FFF" or
      $e.security_result.detection_fields["granted_access"] = "0x143A" or
      $e.security_result.detection_fields["granted_access"] = "0x1478"
    )
    $e.principal.process.pid != $e.target.process.pid
    $hostname = $e.principal.hostname

  condition:
    $e
}
high severity medium confidence

Chronicle YARA-L 2.0 rule detecting Thread Execution Hijacking by monitoring PROCESS_OPEN events where a non-whitelisted process opens a high-value system process with access masks associated with full process or thread control. Targets PROCESS_ALL_ACCESS (0x1FFFFF), THREAD_ALL_ACCESS (0x001F0FFF), and related suspicious access patterns used in thread hijacking.

Data Sources

Chronicle UDM via Google Workspace forwardingSysmon logs ingested into Chronicle via forwarderMicrosoft Defender for Endpoint via Chronicle integration

Required Tables

UDM events with metadata.event_type = PROCESS_OPEN

False Positives & Tuning

  • Antivirus and EDR products routinely open processes with high-privilege access masks for scanning and behavioral monitoring — particularly MDE, CrowdStrike Falcon, and Carbon Black sensors
  • System administration scripts using Windows Management Instrumentation (WMI) or PSExec to perform remote operations may open processes with broad access masks for legitimate management purposes
  • Software crash reporting tools and automated test frameworks (like Application Verifier) use process access APIs with high permission levels to capture crash dumps and perform memory analysis
Download portable Sigma rule (.yml)

Other platforms for T1055.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Thread Hijacking API Chain Simulation

    Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. If full API chain executed: Sysmon Event ID 10 (ProcessAccess) with THREAD_ALL_ACCESS rights. MDE DeviceEvents with SetThreadContextApiCall action type.

  2. Test 2SuspendThread via NtSuspendThread Syscall

    Expected signal: Sysmon Event ID 1 for notepad.exe creation. If NtSuspendThread called: ETW event from Microsoft-Windows-Threat-Intelligence provider. Process status would show suspended state in Process Explorer.

  3. Test 3Thread Context Modification Detection Test

    Expected signal: Sysmon Event ID 1 for calc.exe/Calculator.exe creation. Process Access events (Event ID 10) from PowerShell to the calculator process. Thread enumeration visible in ETW traces.

Last updated: 2026-04-18 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1055.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.012Process HollowingT1055.004Asynchronous Procedure CallT1055.002Portable Executable InjectionT1106Native API

Same Tactic: Defense Evasion

Popular Detections