T1055.003 Sumo Logic CSE · Sumo

Detect Thread Execution Hijacking in Sumo Logic CSE

Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread, VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively. This is very similar to Process Hollowing but targets an existing process rather than creating a process in a suspended state.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.003 Thread Execution Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1055/003/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory="windows/sysmon" EventID=10
| parse "<SourceImage>*</SourceImage>" as source_image
| parse "<TargetImage>*</TargetImage>" as target_image
| parse "<GrantedAccess>*</GrantedAccess>" as granted_access
| parse "<SourceProcessId>*</SourceProcessId>" as source_pid
| parse "<TargetProcessId>*</TargetProcessId>" as target_pid
| parse "<User>*</User>" as user
| where granted_access in ("0x1FFFFF", "0x001F0FFF", "0x1F3FFF", "0x1F1FFF", "0x143A", "0x1478", "0x40", "0x20")
| where !(source_image matches "*MsMpEng.exe" or source_image matches "*csrss.exe" or source_image matches "*services.exe" or source_image matches "*WerFault.exe" or source_image matches "*taskmgr.exe" or source_image matches "*WmiPrvSE.exe")
| where target_image matches "*svchost.exe" or target_image matches "*explorer.exe" or target_image matches "*ctfmon.exe" or target_image matches "*RuntimeBroker.exe" or target_image matches "*lsass.exe" or target_image matches "*winlogon.exe" or target_image matches "*sihost.exe"
| if(granted_access in ("0x1FFFFF", "0x001F0FFF", "0x1F3FFF"), "High - PROCESS_ALL_ACCESS or THREAD_ALL_ACCESS", "Medium - Suspicious access mask") as hijack_severity
| fields _messageTime, _sourceHost, user, source_image, target_image, granted_access, source_pid, target_pid, hijack_severity
| sort by _messageTime desc
high severity medium confidence

Detects Thread Execution Hijacking using Sumo Logic by parsing Sysmon Event ID 10 (Process Access) for high-privilege access masks associated with thread hijacking techniques. Correlates source and target process names to identify non-whitelisted processes accessing high-value Windows system processes with THREAD_ALL_ACCESS or PROCESS_ALL_ACCESS permissions.

Data Sources

Sysmon via Sumo Logic Windows AgentSumo Logic Cloud SIEM Enterprise normalized process access events

Required Tables

_sourceCategory=windows/sysmon

False Positives & Tuning

  • Legitimate process injection performed by endpoint security solutions for behavioral monitoring — many EDR agents use process access APIs that resemble injection patterns
  • Just-in-time (JIT) compilers in .NET and Java runtimes may write executable code into memory regions and manipulate thread contexts as part of normal JIT compilation
  • Remote administration tools (RATs used legitimately, such as TeamViewer or AnyDesk) may perform thread-level operations on target processes during screen sharing or remote control sessions
Download portable Sigma rule (.yml)

Other platforms for T1055.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Thread Hijacking API Chain Simulation

    Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. If full API chain executed: Sysmon Event ID 10 (ProcessAccess) with THREAD_ALL_ACCESS rights. MDE DeviceEvents with SetThreadContextApiCall action type.

  2. Test 2SuspendThread via NtSuspendThread Syscall

    Expected signal: Sysmon Event ID 1 for notepad.exe creation. If NtSuspendThread called: ETW event from Microsoft-Windows-Threat-Intelligence provider. Process status would show suspended state in Process Explorer.

  3. Test 3Thread Context Modification Detection Test

    Expected signal: Sysmon Event ID 1 for calc.exe/Calculator.exe creation. Process Access events (Event ID 10) from PowerShell to the calculator process. Thread enumeration visible in ETW traces.

Last updated: 2026-04-18 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1055.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.012Process HollowingT1055.004Asynchronous Procedure CallT1055.002Portable Executable InjectionT1106Native API

Same Tactic: Defense Evasion

Popular Detections