Detect Thread Execution Hijacking in Microsoft Sentinel
Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread, VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively. This is very similar to Process Hollowing but targets an existing process rather than creating a process in a suspended state.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.003 Thread Execution Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1055/003/
KQL Detection Query
// Detect Thread Execution Hijacking via SetThreadContext API usage
// Key indicator: SuspendThread + SetThreadContext + ResumeThread on a remote process
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType in ("SetThreadContextApiCall", "CreateRemoteThreadApiCall")
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "csrss.exe", "services.exe", "WerFault.exe", "taskmgr.exe")
| where InitiatingProcessId != ProcessId
| extend IsSuspiciousTarget = FileName in~ ("svchost.exe", "explorer.exe", "ctfmon.exe", "RuntimeBroker.exe", "sihost.exe")
| project Timestamp, DeviceName, AccountName, ActionType,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId,
FileName, ProcessId, IsSuspiciousTarget
| sort by Timestamp descDetects Thread Execution Hijacking by monitoring for SetThreadContext API calls targeting remote processes. SetThreadContext is the key API that distinguishes thread hijacking from standard CreateRemoteThread injection — it modifies an existing thread's instruction pointer to redirect execution. Filters out legitimate OS processes that use SetThreadContext for debugging and error handling.
Data Sources
Required Tables
False Positives & Tuning
- Debuggers (WinDbg, x64dbg, Visual Studio) using SetThreadContext to modify debuggee thread state
- Windows Error Reporting (WerFault.exe) suspending and inspecting crashed process threads
- Anti-cheat software suspending and scanning game process threads for integrity
- Application crash handlers that suspend threads to generate crash dumps
Other platforms for T1055.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Thread Hijacking API Chain Simulation
Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. If full API chain executed: Sysmon Event ID 10 (ProcessAccess) with THREAD_ALL_ACCESS rights. MDE DeviceEvents with SetThreadContextApiCall action type.
- Test 2SuspendThread via NtSuspendThread Syscall
Expected signal: Sysmon Event ID 1 for notepad.exe creation. If NtSuspendThread called: ETW event from Microsoft-Windows-Threat-Intelligence provider. Process status would show suspended state in Process Explorer.
- Test 3Thread Context Modification Detection Test
Expected signal: Sysmon Event ID 1 for calc.exe/Calculator.exe creation. Process Access events (Event ID 10) from PowerShell to the calculator process. Thread enumeration visible in ETW traces.
References (4)
- https://attack.mitre.org/techniques/T1055/003/
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md
- https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
Unlock Pro Content
Get the full detection package for T1055.003 including response playbook, investigation guide, and atomic red team tests.