Detect Thread Execution Hijacking in Splunk
Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread, VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively. This is very similar to Process Hollowing but targets an existing process rather than creating a process in a suspended state.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.003 Thread Execution Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1055/003/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10
| where GrantedAccess IN ("0x1FFFFF", "0x001F0FFF", "0x1F3FFF", "0x1F1FFF", "0x143A", "0x1478")
| rename SourceImage as Hijacker, TargetImage as Victim
| search NOT Hijacker IN ("*\\MsMpEng.exe", "*\\csrss.exe", "*\\services.exe", "*\\WerFault.exe", "*\\taskmgr.exe", "*\\WmiPrvSE.exe")
| eval HijackerName=mvindex(split(Hijacker, "\\"), -1)
| eval VictimName=mvindex(split(Victim, "\\"), -1)
| eval ThreadHijackSuspect=if(match(GrantedAccess, "(0x1FFFFF|0x001F0FFF|0x1F3FFF)"), "High - PROCESS_ALL_ACCESS or THREAD_ALL_ACCESS", "Medium - Suspicious access mask")
| table _time, host, User, Hijacker, Victim, GrantedAccess, ThreadHijackSuspect
| sort - _timeDetects potential Thread Execution Hijacking via Sysmon Event ID 10 (ProcessAccess) with access rights that include thread manipulation capabilities. The GrantedAccess masks 0x1FFFFF (PROCESS_ALL_ACCESS), 0x1F3FFF (includes THREAD_ALL_ACCESS), and 0x1478 (THREAD_SUSPEND_RESUME + SET_CONTEXT + GET_CONTEXT + QUERY_INFO) are required for the SuspendThread -> SetThreadContext -> ResumeThread chain.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Debuggers legitimately accessing thread context of debuggee processes
- Windows Error Reporting accessing crashed process threads
- Anti-cheat software performing thread integrity checks
- System management tools inspecting process thread states
Other platforms for T1055.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Thread Hijacking API Chain Simulation
Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. If full API chain executed: Sysmon Event ID 10 (ProcessAccess) with THREAD_ALL_ACCESS rights. MDE DeviceEvents with SetThreadContextApiCall action type.
- Test 2SuspendThread via NtSuspendThread Syscall
Expected signal: Sysmon Event ID 1 for notepad.exe creation. If NtSuspendThread called: ETW event from Microsoft-Windows-Threat-Intelligence provider. Process status would show suspended state in Process Explorer.
- Test 3Thread Context Modification Detection Test
Expected signal: Sysmon Event ID 1 for calc.exe/Calculator.exe creation. Process Access events (Event ID 10) from PowerShell to the calculator process. Thread enumeration visible in ETW traces.
References (4)
- https://attack.mitre.org/techniques/T1055/003/
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md
- https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
Unlock Pro Content
Get the full detection package for T1055.003 including response playbook, investigation guide, and atomic red team tests.