T1055.003 IBM QRadar · QRadar

Detect Thread Execution Hijacking in IBM QRadar

Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread, VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively. This is very similar to Process Hollowing but targets an existing process rather than creating a process in a suspended state.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.003 Thread Execution Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1055/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip",
  "username",
  "sourceprocessname" AS hijacker_process,
  "destinationprocessname" AS victim_process,
  "categoryname"(category) AS event_category,
  QIDNAME(qid) AS event_name,
  "Extra" AS additional_fields
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 225)
  AND qid IN (
    SELECT qid FROM qidmap WHERE qname LIKE '%SetThreadContext%'
    UNION
    SELECT qid FROM qidmap WHERE qname LIKE '%CreateRemoteThread%'
    UNION
    SELECT qid FROM qidmap WHERE qname LIKE '%ProcessAccess%'
  )
  AND "sourceprocessname" NOT ILIKE '%MsMpEng%'
  AND "sourceprocessname" NOT ILIKE '%csrss%'
  AND "sourceprocessname" NOT ILIKE '%services.exe%'
  AND "sourceprocessname" NOT ILIKE '%WerFault%'
  AND "sourceprocessname" NOT ILIKE '%taskmgr%'
  AND "sourceprocessname" NOT ILIKE '%WmiPrvSE%'
  AND (
    "destinationprocessname" ILIKE '%svchost%'
    OR "destinationprocessname" ILIKE '%explorer%'
    OR "destinationprocessname" ILIKE '%ctfmon%'
    OR "destinationprocessname" ILIKE '%RuntimeBroker%'
    OR "destinationprocessname" ILIKE '%lsass%'
    OR "destinationprocessname" ILIKE '%winlogon%'
  )
  AND INOFFSET(starttime, -24 HOURS)
ORDER BY starttime DESC
LIMIT 1000
high severity medium confidence

Detects Thread Execution Hijacking in QRadar by querying for Sysmon or Windows Security events where a non-whitelisted source process accesses high-value system processes using thread manipulation API calls. Filters on SetThreadContext, CreateRemoteThread, and suspicious process access events targeting svchost, explorer, and other common injection targets.

Data Sources

Microsoft Windows Sysmon (QRadar DSM)Microsoft Windows Security Event LogQRadar Endpoint Activity Monitor

Required Tables

events

False Positives & Tuning

  • Endpoint detection and response agents that perform process memory inspection may generate process access events to svchost.exe and other system processes during behavioral monitoring
  • Software deployment tools (SCCM, Ivanti) may inject code into running processes during patching or software installation workflows
  • Virtualization and containerization software may use thread context manipulation for process isolation and sandboxing capabilities
Download portable Sigma rule (.yml)

Other platforms for T1055.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Thread Hijacking API Chain Simulation

    Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. If full API chain executed: Sysmon Event ID 10 (ProcessAccess) with THREAD_ALL_ACCESS rights. MDE DeviceEvents with SetThreadContextApiCall action type.

  2. Test 2SuspendThread via NtSuspendThread Syscall

    Expected signal: Sysmon Event ID 1 for notepad.exe creation. If NtSuspendThread called: ETW event from Microsoft-Windows-Threat-Intelligence provider. Process status would show suspended state in Process Explorer.

  3. Test 3Thread Context Modification Detection Test

    Expected signal: Sysmon Event ID 1 for calc.exe/Calculator.exe creation. Process Access events (Event ID 10) from PowerShell to the calculator process. Thread enumeration visible in ETW traces.

Last updated: 2026-04-18 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1055.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.012Process HollowingT1055.004Asynchronous Procedure CallT1055.002Portable Executable InjectionT1106Native API

Same Tactic: Defense Evasion

Popular Detections