T1565.003

Runtime Data Manipulation

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, threatening the integrity of information presented at runtime. Unlike stored data manipulation which alters data at rest, runtime manipulation intercepts and alters data in memory or during processing before it reaches the display layer — allowing adversaries to show fraudulent information while persisting clean data on disk. APT38 demonstrated this with DYEPACK.FOX, which hooked PDF rendering to redact fraudulent SWIFT transaction records from operator views. Runtime manipulation typically requires process injection (CreateRemoteThread, WriteProcessMemory), DLL hijacking into display application processes, or API hooking of rendering or formatting functions. The technique is particularly dangerous in financial, SCADA, and operational technology environments where displayed data directly informs decisions.

Microsoft Sentinel / Defender

kusto

let DisplayApplications = dynamic([
  "acrord32.exe", "acrobat.exe", "foxitreader.exe", "sumatrapdf.exe",
  "excel.exe", "winword.exe", "powerpnt.exe", "outlook.exe",
  "mspaint.exe", "explorer.exe", "mmc.exe", "wmplayer.exe",
  "evince", "okular", "libreoffice"
]);
let SuspiciousSourceProcesses = dynamic([
  "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "svchost.exe"
]);
// Detect CreateRemoteThread into display/document applications
let RemoteThreadInjection = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "CreateRemoteThread"
| where FileName has_any (DisplayApplications)
| project Timestamp, DeviceName, AccountName, ActionType,
         TargetProcessName = FileName, TargetProcessId = ProcessId,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, ReportId,
         DetectionType = "RemoteThreadInjection";
// Detect process memory write access into display applications (Sysmon-equivalent via DeviceEvents)
let ProcessMemoryWrite = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "OpenProcess"
| where FileName has_any (DisplayApplications)
| where InitiatingProcessFileName has_any (SuspiciousSourceProcesses)
| project Timestamp, DeviceName, AccountName, ActionType,
         TargetProcessName = FileName, TargetProcessId = ProcessId,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, ReportId,
         DetectionType = "SuspiciousProcessOpen";
// Detect unexpected DLL loads into document viewer processes
let SuspiciousDllLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (DisplayApplications)
| where not(FolderPath has_any (@"C:\Windows\", @"C:\Program Files\", @"C:\Program Files (x86)\"))
| where SHA1 !in~ ("")
| project Timestamp, DeviceName, AccountName,
         FolderPath, FileName, SHA1,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, ReportId,
         DetectionType = "SuspiciousDllIntoViewer";
// Detect binary modifications to display application executables
let BinaryTampering = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileModified", "FileRenamed")
| where FileName endswith ".exe" or FileName endswith ".dll"
| where FolderPath has_any (@"Program Files\Adobe", @"Program Files\Foxit",
         @"Program Files\Microsoft Office", @"Program Files (x86)\Microsoft Office")
| where InitiatingProcessFileName !in~ ("msiexec.exe", "setup.exe", "install.exe",
         "trustedinstaller.exe", "tiworker.exe", "svchost.exe")
| project Timestamp, DeviceName, AccountName,
         FolderPath, FileName, ActionType, SHA1,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, ReportId,
         DetectionType = "DisplayBinaryTampering";
union RemoteThreadInjection, ProcessMemoryWrite, SuspiciousDllLoad, BinaryTampering
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Access Module: Module Load File: File Modification Microsoft Defender for Endpoint

Required Tables

DeviceEvents DeviceImageLoadEvents DeviceFileEvents

False Positives

EDR and AV products (CrowdStrike Falcon, Carbon Black, Cylance) routinely inject monitoring DLLs into all running processes including document viewers — their DLL paths and signing certificates should be allowlisted
Accessibility software (JAWS, NVDA, ZoomText) legitimately hooks rendering APIs in PDF and Office applications to provide screen reader functionality
Visual Studio debugger and tools like x64dbg/WinDbg attach to processes with full memory access rights during development and QA workflows
PDF print spooler integrations and enterprise DRM solutions (Adobe LiveCycle, Workshare, Vera) inject into Acrobat to intercept document output
Screen recording and enterprise content monitoring tools (Panopto, Citrix UiPath, Teramind) use process injection to capture display output for compliance purposes

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(
  (
    EventCode=8
    (
      TargetImage="*\\acrord32.exe" OR TargetImage="*\\acrobat.exe" OR
      TargetImage="*\\foxitreader.exe" OR TargetImage="*\\sumatrapdf.exe" OR
      TargetImage="*\\excel.exe" OR TargetImage="*\\winword.exe" OR
      TargetImage="*\\powerpnt.exe" OR TargetImage="*\\outlook.exe" OR
      TargetImage="*\\explorer.exe" OR TargetImage="*\\mmc.exe"
    )
  )
  OR
  (
    EventCode=10
    (
      TargetImage="*\\acrord32.exe" OR TargetImage="*\\acrobat.exe" OR
      TargetImage="*\\foxitreader.exe" OR TargetImage="*\\excel.exe" OR
      TargetImage="*\\winword.exe" OR TargetImage="*\\outlook.exe"
    )
    (
      SourceImage="*\\powershell.exe" OR SourceImage="*\\pwsh.exe" OR
      SourceImage="*\\cmd.exe" OR SourceImage="*\\wscript.exe" OR
      SourceImage="*\\cscript.exe" OR SourceImage="*\\mshta.exe" OR
      SourceImage="*\\rundll32.exe" OR SourceImage="*\\regsvr32.exe"
    )
  )
  OR
  (
    EventCode=7
    (
      Image="*\\acrord32.exe" OR Image="*\\acrobat.exe" OR
      Image="*\\foxitreader.exe" OR Image="*\\excel.exe" OR
      Image="*\\winword.exe"
    )
    NOT (
      ImageLoaded="*\\Windows\\*" OR ImageLoaded="*\\Program Files\\Adobe\\*" OR
      ImageLoaded="*\\Program Files\\Foxit\\*" OR ImageLoaded="*\\Program Files\\Microsoft Office\\*" OR
      ImageLoaded="*\\Program Files (x86)\\Microsoft Office\\*" OR
      Signed="true"
    )
  )
)
| eval EventType=case(
    EventCode="8", "RemoteThreadInjection",
    EventCode="10", "SuspiciousProcessAccess",
    EventCode="7", "UnexpectedDllLoad",
    true(), "Unknown"
  )
| eval TargetProc=coalesce(TargetImage, Image)
| eval SourceProc=coalesce(SourceImage, "N/A")
| eval GrantedAccessHex=coalesce(GrantedAccess, "N/A")
| eval IsWriteAccess=if(match(GrantedAccessHex, "(1F0FFF|001F|0028|0020)"), 1, 0)
| eval RiskScore=case(
    EventCode="8", 3,
    EventCode="10" AND IsWriteAccess=1, 2,
    EventCode="10" AND IsWriteAccess=0, 1,
    EventCode="7", 2,
    true(), 1
  )
| table _time, host, User, EventType, EventCode, TargetProc, SourceProc, GrantedAccessHex, IsWriteAccess, RiskScore, StartAddress, StartModule, ImageLoaded
| sort - RiskScore, _time

high severity medium confidence

Data Sources

Process: Process Access Module: Module Load Sysmon Event ID 8 (CreateRemoteThread) Sysmon Event ID 10 (ProcessAccess) Sysmon Event ID 7 (ImageLoad)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

EDR and AV products routinely inject monitoring threads and DLLs into all processes — their installer paths and digital signatures should be excluded via the Signed=true filter or allowlisted by SourceImage
Accessibility software (JAWS screen reader, ZoomText) attaches to document viewer processes to intercept rendering APIs for visually impaired users
Microsoft IntelliType, Wacom tablet drivers, and similar peripheral software inject into processes to provide input handling functionality
Enterprise DLP and content inspection agents (Symantec DLP, Forcepoint, Nightfall) legitimately hook into Office and PDF processes to intercept document content for policy enforcement
PDF printer drivers and virtual printer integrations inject into Acrobat/reader processes to intercept print spooler output

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and
   process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
                      "mshta.exe", "rundll32.exe", "regsvr32.exe", "svchost.exe")]
  [process where event.action == "process_injection" and
   process.name in~ ("acrord32.exe", "acrobat.exe", "foxitreader.exe", "sumatrapdf.exe",
                     "excel.exe", "winword.exe", "powerpnt.exe", "outlook.exe",
                     "explorer.exe", "mmc.exe", "wmplayer.exe")]

any where
(
  (
    event.category == "library" and
    process.name in~ ("acrord32.exe", "acrobat.exe", "foxitreader.exe", "excel.exe", "winword.exe") and
    not dll.path : ("C:\\Windows\\*", "C:\\Program Files\\Adobe\\*",
                    "C:\\Program Files\\Foxit\\*", "C:\\Program Files\\Microsoft Office\\*",
                    "C:\\Program Files (x86)\\Microsoft Office\\*") and
    dll.code_signature.trusted == false
  ) or
  (
    event.category == "file" and
    event.type in ("change", "creation") and
    (file.name : "*.exe" or file.name : "*.dll") and
    file.path : ("*\\Program Files\\Adobe\\*", "*\\Program Files\\Foxit\\*",
                  "*\\Program Files\\Microsoft Office\\*", "*\\Program Files (x86)\\Microsoft Office\\*") and
    not process.name in~ ("msiexec.exe", "setup.exe", "install.exe",
                           "trustedinstaller.exe", "tiworker.exe", "svchost.exe")
  )
)

high severity medium confidence

Data Sources

Elastic Endpoint Security (endpoint agent) Windows Sysmon via Elastic Agent Elastic Defend — Process, Library, File events

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.library-* logs-endpoint.events.file-* logs-windows.sysmon_operational-*

False Positives

Legitimate Adobe Acrobat plugin installations or updates that load unsigned DLLs transiently before signature verification completes
IT deployment tools (SCCM, Intune, PDQ Deploy) modifying Office or Acrobat binaries during patch cycles using atypical parent processes
Security products (EDR agents, DLP tools) legitimately injecting into document viewers for content inspection or DRM enforcement

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  QIDNAME(qid) AS event_name,
  username,
  sourceip,
  "TargetImage",
  "SourceImage",
  "ImageLoaded",
  "GrantedAccess",
  CASE
    WHEN QIDNAME(qid) LIKE '%CreateRemoteThread%' THEN 'RemoteThreadInjection'
    WHEN QIDNAME(qid) LIKE '%ProcessAccess%' THEN 'SuspiciousProcessAccess'
    WHEN QIDNAME(qid) LIKE '%ImageLoad%' THEN 'UnexpectedDllLoad'
    ELSE 'BinaryTampering'
  END AS detection_type,
  CASE
    WHEN QIDNAME(qid) LIKE '%CreateRemoteThread%' THEN 3
    WHEN QIDNAME(qid) LIKE '%ProcessAccess%' AND "GrantedAccess" IN ('0x1F0FFF','0x001F','0x0028') THEN 2
    WHEN QIDNAME(qid) LIKE '%ImageLoad%' THEN 2
    ELSE 1
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 13 -- Microsoft Windows Security Event Log
  AND starttime > NOW() - 86400000
  AND (
    (
      "EventID" = '8'
      AND (
        "TargetImage" ILIKE '%\\acrord32.exe' OR "TargetImage" ILIKE '%\\acrobat.exe' OR
        "TargetImage" ILIKE '%\\foxitreader.exe' OR "TargetImage" ILIKE '%\\sumatrapdf.exe' OR
        "TargetImage" ILIKE '%\\excel.exe' OR "TargetImage" ILIKE '%\\winword.exe' OR
        "TargetImage" ILIKE '%\\powerpnt.exe' OR "TargetImage" ILIKE '%\\outlook.exe' OR
        "TargetImage" ILIKE '%\\explorer.exe' OR "TargetImage" ILIKE '%\\mmc.exe'
      )
    )
    OR
    (
      "EventID" = '10'
      AND (
        "TargetImage" ILIKE '%\\acrord32.exe' OR "TargetImage" ILIKE '%\\acrobat.exe' OR
        "TargetImage" ILIKE '%\\foxitreader.exe' OR "TargetImage" ILIKE '%\\excel.exe' OR
        "TargetImage" ILIKE '%\\winword.exe' OR "TargetImage" ILIKE '%\\outlook.exe'
      )
      AND (
        "SourceImage" ILIKE '%\\powershell.exe' OR "SourceImage" ILIKE '%\\pwsh.exe' OR
        "SourceImage" ILIKE '%\\cmd.exe' OR "SourceImage" ILIKE '%\\wscript.exe' OR
        "SourceImage" ILIKE '%\\cscript.exe' OR "SourceImage" ILIKE '%\\mshta.exe' OR
        "SourceImage" ILIKE '%\\rundll32.exe' OR "SourceImage" ILIKE '%\\regsvr32.exe'
      )
    )
    OR
    (
      "EventID" = '7'
      AND (
        "Image" ILIKE '%\\acrord32.exe' OR "Image" ILIKE '%\\acrobat.exe' OR
        "Image" ILIKE '%\\foxitreader.exe' OR "Image" ILIKE '%\\excel.exe' OR
        "Image" ILIKE '%\\winword.exe'
      )
      AND "Signed" <> 'true'
      AND NOT (
        "ImageLoaded" ILIKE '%\\Windows\\%' OR
        "ImageLoaded" ILIKE '%\\Program Files\\Adobe\\%' OR
        "ImageLoaded" ILIKE '%\\Program Files\\Foxit\\%' OR
        "ImageLoaded" ILIKE '%\\Program Files\\Microsoft Office\\%' OR
        "ImageLoaded" ILIKE '%\\Program Files (x86)\\Microsoft Office\\%'
      )
    )
  )
ORDER BY risk_score DESC, starttime DESC

high severity medium confidence

Data Sources

Microsoft Windows Sysmon (forwarded via WinCollect or syslog) IBM QRadar DSM for Microsoft Windows

Required Tables

events (QRadar)

False Positives

Enterprise DRM solutions that inject into Acrobat or Office to enforce document rights management policies
Screen recording or accessibility software (e.g., JAWS, ZoomText) that hooks into document viewers for rendering capture
Corporate monitoring tools that open handles to Office processes for activity tracking or compliance purposes

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon
| where EventID in ("7", "8", "10")
| where (
    (EventID = "8" and (
      TargetImage matches "*\\acrord32.exe" or TargetImage matches "*\\acrobat.exe" or
      TargetImage matches "*\\foxitreader.exe" or TargetImage matches "*\\sumatrapdf.exe" or
      TargetImage matches "*\\excel.exe" or TargetImage matches "*\\winword.exe" or
      TargetImage matches "*\\powerpnt.exe" or TargetImage matches "*\\outlook.exe" or
      TargetImage matches "*\\explorer.exe" or TargetImage matches "*\\mmc.exe"
    ))
    or
    (EventID = "10" and (
      TargetImage matches "*\\acrord32.exe" or TargetImage matches "*\\acrobat.exe" or
      TargetImage matches "*\\foxitreader.exe" or TargetImage matches "*\\excel.exe" or
      TargetImage matches "*\\winword.exe" or TargetImage matches "*\\outlook.exe"
    ) and (
      SourceImage matches "*\\powershell.exe" or SourceImage matches "*\\pwsh.exe" or
      SourceImage matches "*\\cmd.exe" or SourceImage matches "*\\wscript.exe" or
      SourceImage matches "*\\cscript.exe" or SourceImage matches "*\\mshta.exe" or
      SourceImage matches "*\\rundll32.exe" or SourceImage matches "*\\regsvr32.exe"
    ))
    or
    (EventID = "7" and (
      Image matches "*\\acrord32.exe" or Image matches "*\\acrobat.exe" or
      Image matches "*\\foxitreader.exe" or Image matches "*\\excel.exe" or
      Image matches "*\\winword.exe"
    ) and Signed != "true" and (
      !(ImageLoaded matches "*\\Windows\\*") and
      !(ImageLoaded matches "*\\Program Files\\Adobe\\*") and
      !(ImageLoaded matches "*\\Program Files\\Foxit\\*") and
      !(ImageLoaded matches "*\\Program Files\\Microsoft Office\\*") and
      !(ImageLoaded matches "*\\Program Files (x86)\\Microsoft Office\\*")
    ))
  )
| eval EventType = if(EventID = "8", "RemoteThreadInjection",
    if(EventID = "10", "SuspiciousProcessAccess",
    if(EventID = "7", "UnexpectedDllLoad", "Unknown")))
| eval TargetProc = if(!isNull(TargetImage), TargetImage, Image)
| eval SourceProc = if(!isNull(SourceImage), SourceImage, "N/A")
| eval RiskScore = if(EventID = "8", 3,
    if(EventID = "10" and (GrantedAccess in ("0x1F0FFF","0x001F","0x0028","0x0020")), 2,
    if(EventID = "7", 2, 1)))
| fields _messageTime, Computer, User, EventType, EventID, TargetProc, SourceProc, GrantedAccess, ImageLoaded, RiskScore
| sort by RiskScore, _messageTime

high severity medium confidence

Data Sources

Windows Sysmon operational logs Sumo Logic Windows agent collecting Sysmon/Operational channel

Required Tables

_sourceCategory=windows/sysmon

False Positives

Legitimate PDF plugin frameworks (e.g., third-party Acrobat plugins installed by the user) that load DLLs from non-standard paths during first run
Windows compatibility shims applied by Application Compatibility Toolkit that inject into Office processes for older application support
Antivirus or endpoint security software that hooks into display application processes to scan rendered content

Google Chronicle / SecOps

yaral

rule t1565_003_runtime_data_manipulation {
  meta:
    author = "df00tech"
    description = "Detects T1565.003 Runtime Data Manipulation via process injection, suspicious DLL loads, or binary tampering targeting display/document applications"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1565.003"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      // CreateRemoteThread or Process Access into display applications
      (
        $e.metadata.event_type = "PROCESS_INJECTION"
        and (
          $e.target.process.file.full_path = /(?i)(acrord32|acrobat|foxitreader|sumatrapdf|excel|winword|powerpnt|outlook|explorer|mmc|wmplayer)\.exe$/
        )
      )
      or
      // Suspicious process opening display application with write permissions
      (
        $e.metadata.event_type = "PROCESS_OPEN"
        and (
          $e.target.process.file.full_path = /(?i)(acrord32|acrobat|foxitreader|excel|winword|outlook)\.exe$/
        )
        and (
          $e.principal.process.file.full_path = /(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32)\.exe$/
        )
      )
      or
      // Unexpected DLL load into document viewer (unsigned, non-standard path)
      (
        $e.metadata.event_type = "PROCESS_MODULE_LOAD"
        and (
          $e.principal.process.file.full_path = /(?i)(acrord32|acrobat|foxitreader|excel|winword)\.exe$/
        )
        and not (
          $e.target.file.full_path = /(?i)(C:\\Windows\\|C:\\Program Files\\Adobe\\|C:\\Program Files\\Foxit\\|C:\\Program Files\\Microsoft Office\\|C:\\Program Files \(x86\)\\Microsoft Office\\)/
        )
        and $e.target.file.pe_file.signature_info.signature_algorithm = ""
      )
      or
      // Binary tampering of display application executables
      (
        $e.metadata.event_type = "FILE_MODIFICATION"
        and (
          $e.target.file.full_path = /(?i)(Program Files\\Adobe|Program Files\\Foxit|Program Files\\Microsoft Office|Program Files \(x86\)\\Microsoft Office)/
        )
        and (
          $e.target.file.full_path = /(?i)\.(exe|dll)$/
        )
        and not (
          $e.principal.process.file.full_path = /(?i)(msiexec|setup|install|trustedinstaller|tiworker|svchost)\.exe$/
        )
      )
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM — Windows endpoint telemetry Chronicle Ingestion: Microsoft Defender for Endpoint, CrowdStrike Falcon, or Sysmon via forwarder

Required Tables

UDM events (Chronicle)

False Positives

Legitimate enterprise PDF workflow tools that perform in-process rendering transformations using COM automation or OLE, which may trigger process open events
Third-party Office add-ins deployed via Group Policy that are stored in non-standard locations and loaded as unsigned DLLs into winword.exe or excel.exe
Software deployment solutions running as svchost or service-hosted processes that update Adobe or Office binaries and are not included in the allowlist

CrowdStrike LogScale (CQL)

cql

// T1565.003 Runtime Data Manipulation — CrowdStrike LogScale CQL
// Detect injection, DLL hooking, and binary tampering targeting display/document apps

#event_simpleName in (
  "CreateRemoteThreadV2",
  "ProcessRollup2",
  "SuspiciousProcess",
  "ModuleLoadV3",
  "SuspiciousProcessSuspectedHostOfMaliciousCode"
)
| TargetFileName := lower(TargetFileName)
| ImageFileName := lower(ImageFileName)
| ParentBaseFileName := lower(ParentBaseFileName)
| DisplayAppList := array("acrord32.exe", "acrobat.exe", "foxitreader.exe", "sumatrapdf.exe",
                           "excel.exe", "winword.exe", "powerpnt.exe", "outlook.exe",
                           "explorer.exe", "mmc.exe", "wmplayer.exe")
| SuspiciousParentList := array("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe",
                                  "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")
| IsDisplayAppTarget := in(field=TargetFileName, values=DisplayAppList)
| IsDisplayAppImage := in(field=ImageFileName, values=DisplayAppList)
| IsSuspiciousParent := in(field=ParentBaseFileName, values=SuspiciousParentList)
| IsRemoteThread := #event_simpleName = "CreateRemoteThreadV2" and IsDisplayAppTarget = true
| IsSuspiciousModuleLoad := #event_simpleName = "ModuleLoadV3" and IsDisplayAppImage = true
    and not match(field=ImageFilePath, regex="(?i)(windows\\|program files\\adobe\\|program files\\foxit\\|program files\\microsoft office\\|program files \(x86\)\\microsoft office\\)")
| IsInjectionAttempt := #event_simpleName in ("SuspiciousProcess", "ProcessRollup2")
    and IsDisplayAppTarget = true and IsSuspiciousParent = true
| DetectionFired := IsRemoteThread OR IsSuspiciousModuleLoad OR IsInjectionAttempt
| where DetectionFired = true
| eval DetectionType = case(
    IsRemoteThread = true, "RemoteThreadInjection",
    IsSuspiciousModuleLoad = true, "UnexpectedModuleLoad",
    IsInjectionAttempt = true, "SuspiciousParentChildInjection",
    true, "Unknown"
  )
| eval RiskScore = case(
    IsRemoteThread = true, 3,
    IsSuspiciousModuleLoad = true, 2,
    IsInjectionAttempt = true, 2,
    true, 1
  )
| groupBy(
    [ComputerName, UserName, DetectionType, TargetFileName, ImageFileName, ParentBaseFileName,
     CommandLine, RiskScore],
    function=count(as=EventCount)
  )
| sort(RiskScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint sensor Falcon telemetry: CreateRemoteThreadV2, ModuleLoadV3, ProcessRollup2, SuspiciousProcess events

Required Tables

CrowdStrike Falcon event stream (LogScale)

False Positives

Falcon sensor itself or other CrowdStrike components performing legitimate inspection of document viewer memory for threat detection, generating CreateRemoteThread telemetry
Microsoft 365 Click-to-Run update service (OfficeClickToRun.exe) loading modules into running Office processes during background patching on endpoints where C2R is not in the allowlist
Enterprise PDF conversion services (e.g., network print-to-PDF workflows) that automate Acrobat via COM and open process handles from atypical parent processes

Last updated: 2026-04-21 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1565.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Runtime Data Manipulation

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Impact

Popular Detections