Detect Process Injection in Google Chronicle
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Canonical reference
- https://attack.mitre.org/techniques/T1055/
YARA-L Detection Query
rule t1055_process_injection_high_value_target {
meta:
author = "Argus Detection Engineering"
description = "Detects process injection via CreateRemoteThread or high-privilege ProcessAccess targeting critical Windows processes (MITRE ATT&CK T1055)"
mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
mitre_attack_technique = "T1055"
severity = "HIGH"
confidence = "MEDIUM"
version = "1.0"
events:
(
$e.metadata.event_type = "PROCESS_INJECTION" OR
(
$e.metadata.event_type = "PROCESS_OPEN" AND
(
$e.additional.fields["GrantedAccess"] = /0x1[Ff][0-9A-Fa-f]{4}/ OR
$e.additional.fields["GrantedAccess"] = "0x1FFFFF" OR
$e.additional.fields["GrantedAccess"] = "0x001F0FFF" OR
$e.additional.fields["GrantedAccess"] = "0x143A"
)
)
)
NOT $e.principal.process.file.full_path = /(?i)(MsMpEng|csrss|services|svchost|lsass|wmiprvse)\.exe$/
$e.target.process.file.full_path = /(?i)(lsass|csrss|winlogon|services|svchost|explorer|spoolsv)\.exe$/
condition:
$e
}Google Chronicle YARA-L 2.0 rule detecting process injection targeting high-value Windows processes. Covers Sysmon CreateRemoteThread events mapped to PROCESS_INJECTION UDM type and ProcessAccess events with high-privilege GrantedAccess masks mapped to PROCESS_OPEN. Source process filtering excludes known-safe OS and security tool paths. Requires Sysmon data ingested via Chronicle forwarder with Windows Sysmon UDM parser; GrantedAccess availability in additional.fields depends on parser configuration.
Data Sources
Required Tables
False Positives & Tuning
- Hypervisor guest integration tools (VMware Tools, VirtualBox Guest Additions) performing PROCESS_OPEN operations on Windows host processes for memory sharing and clipboard integration
- Windows Subsystem for Linux (WSL2) infrastructure components acquiring broad process handles to Windows-side processes for file system and network bridging
- Application performance management agents (Dynatrace OneAgent, New Relic) injecting profiling bytecode into monitored processes at runtime
- Endpoint protection platforms performing memory forensics via PROCESS_VM_READ on critical processes as part of live incident response or threat hunting workflows
Other platforms for T1055
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CreateRemoteThread DLL Injection via PowerShell
Expected signal: Sysmon Event ID 1: Process Create for notepad.exe spawned by PowerShell. If using the full injection API chain, Sysmon Event ID 8 (CreateRemoteThread) and Event ID 10 (ProcessAccess) will fire for the cross-process interaction.
- Test 2Process Injection via Mavinject
Expected signal: Sysmon Event ID 1: Process Create for mavinject.exe with /INJECTRUNNING argument. Sysmon Event ID 8: CreateRemoteThread from mavinject.exe to the target. Sysmon Event ID 7: ImageLoad of the injected DLL in the target process.
- Test 3Ptrace-based Process Injection on Linux
Expected signal: auditd: PTRACE syscall logged with type=SYSCALL and a]0=PTRACE_ATTACH. Syslog may show process attachment events. /proc/[pid]/status will show TracerPid set to the strace PID.
References (6)
- https://attack.mitre.org/techniques/T1055/
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md
- https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread
Unlock Pro Content
Get the full detection package for T1055 including response playbook, investigation guide, and atomic red team tests.
Related Detections
Sub-techniques (12)
- T1055.001Dynamic-link Library Injection
- T1055.002Portable Executable Injection
- T1055.003Thread Execution Hijacking
- T1055.004Asynchronous Procedure Call
- T1055.005Thread Local Storage
- T1055.008Ptrace System Calls
- T1055.009Proc Memory
- T1055.011Extra Window Memory Injection
- T1055.012Process Hollowing
- T1055.013Process Doppelganging
- T1055.014VDSO Hijacking
- T1055.015ListPlanting