T1055 IBM QRadar · QRadar

Detect Process Injection in IBM QRadar

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Canonical reference
https://attack.mitre.org/techniques/T1055/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username AS UserName,
  "SourceImage" AS SourceProcess,
  "TargetImage" AS TargetProcess,
  "GrantedAccess" AS AccessMask,
  QIDNAME(qid) AS EventName,
  magnitude
FROM events
WHERE
  (
    QIDNAME(qid) ILIKE '%CreateRemoteThread%'
    OR (
      QIDNAME(qid) ILIKE '%ProcessAccess%'
      AND (
        "GrantedAccess" ILIKE '0x1F%'
        OR "GrantedAccess" IN ('0x1FFFFF', '0x001F0FFF', '0x143A')
      )
    )
  )
  AND "SourceImage" NOT ILIKE '%\MsMpEng.exe'
  AND "SourceImage" NOT ILIKE '%\csrss.exe'
  AND "SourceImage" NOT ILIKE '%\services.exe'
  AND "SourceImage" NOT ILIKE '%\svchost.exe'
  AND "SourceImage" NOT ILIKE '%\lsass.exe'
  AND "SourceImage" NOT ILIKE '%\wmiprvse.exe'
  AND (
    "TargetImage" ILIKE '%\lsass.exe'
    OR "TargetImage" ILIKE '%\csrss.exe'
    OR "TargetImage" ILIKE '%\winlogon.exe'
    OR "TargetImage" ILIKE '%\services.exe'
    OR "TargetImage" ILIKE '%\svchost.exe'
    OR "TargetImage" ILIKE '%\explorer.exe'
    OR "TargetImage" ILIKE '%\spoolsv.exe'
  )
  AND LAST 24 HOURS
ORDER BY starttime DESC
high severity medium confidence

IBM QRadar AQL query detecting Sysmon CreateRemoteThread (EID 8) and suspicious ProcessAccess (EID 10) events with high-privilege access masks targeting critical Windows system processes. Requires the QRadar Windows Sysmon DSM to be installed and configured with custom event properties for SourceImage, TargetImage, and GrantedAccess extracted from Sysmon XML payloads.

Data Sources

IBM QRadar SIEMWindows Sysmon (via QRadar Sysmon DSM)Microsoft Windows Event Log

Required Tables

events

False Positives & Tuning

  • Windows Defender and third-party AV products reading lsass.exe memory with broad access masks for credential protection and threat scanning
  • Legitimate VSS-aware backup software (Veeam, Acronis) opening handles to critical processes with full access for application-consistent snapshots
  • Software development and decompilation tools (dotPeek, dnSpy) attaching to .NET processes with PROCESS_ALL_ACCESS for live code analysis
  • Windows Error Reporting (WerFault.exe) opening handles to crashing processes to collect memory dumps for telemetry reporting
Download portable Sigma rule (.yml)

Other platforms for T1055

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CreateRemoteThread DLL Injection via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for notepad.exe spawned by PowerShell. If using the full injection API chain, Sysmon Event ID 8 (CreateRemoteThread) and Event ID 10 (ProcessAccess) will fire for the cross-process interaction.

  2. Test 2Process Injection via Mavinject

    Expected signal: Sysmon Event ID 1: Process Create for mavinject.exe with /INJECTRUNNING argument. Sysmon Event ID 8: CreateRemoteThread from mavinject.exe to the target. Sysmon Event ID 7: ImageLoad of the injected DLL in the target process.

  3. Test 3Ptrace-based Process Injection on Linux

    Expected signal: auditd: PTRACE syscall logged with type=SYSCALL and a]0=PTRACE_ATTACH. Syslog may show process attachment events. /proc/[pid]/status will show TracerPid set to the strace PID.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1055 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (12)

Related Techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.012Process HollowingT1003OS Credential DumpingT1134Access Token ManipulationT1027.011Fileless Storage

Same Tactic: Defense Evasion

Popular Detections