T1055.003 CrowdStrike LogScale · LogScale

Detect Thread Execution Hijacking in CrowdStrike LogScale

Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread, VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively. This is very similar to Process Hollowing but targets an existing process rather than creating a process in a suspended state.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.003 Thread Execution Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1055/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessAccess
| TargetImageFileName=/(?i)(svchost\.exe|explorer\.exe|ctfmon\.exe|RuntimeBroker\.exe|sihost\.exe|lsass\.exe|winlogon\.exe)$/
| SourceImageFileName!=/(?i)(MsMpEng\.exe|csrss\.exe|services\.exe|WerFault\.exe|taskmgr\.exe|WmiPrvSE\.exe|SenseIR\.exe|SenseCE\.exe)/
| DesiredAccess=/(0x1FFFFF|0x001F0FFF|0x1F3FFF|0x1F1FFF|0x143A|0x1478)/
| SourceProcessId != TargetProcessId
| eval hijack_severity=if(match(DesiredAccess, "(0x1FFFFF|0x001F0FFF|0x1F3FFF)"), "High - PROCESS_ALL_ACCESS", "Medium - Suspicious thread access")
| groupBy([ComputerName, UserName, SourceImageFileName, TargetImageFileName, DesiredAccess, hijack_severity], function=[count(aid, as=event_count), max(timestamp, as=last_seen), min(timestamp, as=first_seen)])
| sort(last_seen, order=desc)
| table([last_seen, first_seen, ComputerName, UserName, SourceImageFileName, TargetImageFileName, DesiredAccess, hijack_severity, event_count])
high severity medium confidence

Detects Thread Execution Hijacking in CrowdStrike Falcon using LogScale CQL by querying ProcessAccess events for non-whitelisted source processes opening high-value Windows system processes with PROCESS_ALL_ACCESS, THREAD_ALL_ACCESS, or other suspicious access masks. Groups results by host and process pair to highlight repeated injection attempts and reduce noise from one-off access events.

Data Sources

CrowdStrike Falcon Sensor (ProcessAccess telemetry)Falcon Data Replicator (FDR) process access events

Required Tables

#event_simpleName=ProcessAccess

False Positives & Tuning

  • CrowdStrike Falcon sensor itself and other installed EDR products generate ProcessAccess events when performing their own behavioral monitoring and memory scanning activities on system processes
  • Windows Performance Monitor (perfmon) and diagnostic tools like Process Monitor (procmon) open processes with broad access masks when collecting real-time performance counters and memory statistics
  • Application compatibility shims and Windows subsystem components may open processes with elevated access masks during application startup, patching, or compatibility layer initialization
Download portable Sigma rule (.yml)

Other platforms for T1055.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Thread Hijacking API Chain Simulation

    Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. If full API chain executed: Sysmon Event ID 10 (ProcessAccess) with THREAD_ALL_ACCESS rights. MDE DeviceEvents with SetThreadContextApiCall action type.

  2. Test 2SuspendThread via NtSuspendThread Syscall

    Expected signal: Sysmon Event ID 1 for notepad.exe creation. If NtSuspendThread called: ETW event from Microsoft-Windows-Threat-Intelligence provider. Process status would show suspended state in Process Explorer.

  3. Test 3Thread Context Modification Detection Test

    Expected signal: Sysmon Event ID 1 for calc.exe/Calculator.exe creation. Process Access events (Event ID 10) from PowerShell to the calculator process. Thread enumeration visible in ETW traces.

Last updated: 2026-04-18 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1055.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.012Process HollowingT1055.004Asynchronous Procedure CallT1055.002Portable Executable InjectionT1106Native API

Same Tactic: Defense Evasion

Popular Detections