Detect Thread Execution Hijacking in Elastic Security
Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread, VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively. This is very similar to Process Hollowing but targets an existing process rather than creating a process in a suspended state.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.003 Thread Execution Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1055/003/
Elastic Detection Query
sequence by host.id with maxspan=30s
[process where event.type == "start" and
process.name != null and
not process.name in~ ("MsMpEng.exe", "csrss.exe", "services.exe", "WerFault.exe", "taskmgr.exe", "WmiPrvSE.exe")]
[process where event.action == "process_accessed" and
process.Ext.api.name in ("SetThreadContext", "ResumeThread", "SuspendThread", "VirtualAllocEx", "WriteProcessMemory") and
target.process.name in~ ("svchost.exe", "explorer.exe", "ctfmon.exe", "RuntimeBroker.exe", "sihost.exe", "lsass.exe", "winlogon.exe") and
not process.name in~ ("MsMpEng.exe", "csrss.exe", "services.exe", "WerFault.exe", "taskmgr.exe")]Detects Thread Execution Hijacking by correlating process access events involving SetThreadContext, SuspendThread, and ResumeThread API calls targeting high-value Windows system processes from non-whitelisted initiating processes. Uses EQL sequence to chain the attack chain within a 30-second window.
Data Sources
Required Tables
False Positives & Tuning
- Debuggers and development tools (Visual Studio, WinDbg, x64dbg) legitimately call SetThreadContext and SuspendThread/ResumeThread when debugging applications
- Game anti-cheat engines (BattleEye, EasyAntiCheat) use process access APIs for memory scanning and may trigger on access to game launcher processes
- Security products performing in-memory scanning or behavioral monitoring may use thread manipulation APIs on monitored processes
Other platforms for T1055.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Thread Hijacking API Chain Simulation
Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. If full API chain executed: Sysmon Event ID 10 (ProcessAccess) with THREAD_ALL_ACCESS rights. MDE DeviceEvents with SetThreadContextApiCall action type.
- Test 2SuspendThread via NtSuspendThread Syscall
Expected signal: Sysmon Event ID 1 for notepad.exe creation. If NtSuspendThread called: ETW event from Microsoft-Windows-Threat-Intelligence provider. Process status would show suspended state in Process Explorer.
- Test 3Thread Context Modification Detection Test
Expected signal: Sysmon Event ID 1 for calc.exe/Calculator.exe creation. Process Access events (Event ID 10) from PowerShell to the calculator process. Thread enumeration visible in ETW traces.
References (4)
- https://attack.mitre.org/techniques/T1055/003/
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md
- https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
Unlock Pro Content
Get the full detection package for T1055.003 including response playbook, investigation guide, and atomic red team tests.