T1674 Input Injection Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousChildProcs = dynamic(["powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe"]);
let EncodedFlags = dynamic(["-EncodedCommand", "-enc ", "-e ", "IEX", "Invoke-Expression", "DownloadString", "DownloadFile", "FromBase64String", "-WindowStyle Hidden", "-NoProfile", "-NonInteractive"]);
// Detect shell processes spawned via simulated input from desktop/shell parents with obfuscated command lines
let HIDSpawnedShells = DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where InitiatingProcessFileName in~ ("explorer.exe", "winlogon.exe", "userinit.exe", "sihost.exe", "taskhostw.exe")
| where FileName in~ (SuspiciousChildProcs)
| where ProcessCommandLine has_any (EncodedFlags)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessId,
    FileName, ProcessId, ProcessCommandLine, InitiatingProcessCommandLine,
    FolderPath, SHA256, ReportId;
// Detect browser developer console or address bar manipulation patterns (BackSwap-style)
let BrowserInjection = DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where InitiatingProcessFileName in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe")
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessId,
    FileName, ProcessId, ProcessCommandLine, FolderPath, SHA256, ReportId;
// Union both patterns
union HIDSpawnedShells, BrowserInjection
| extend InjectionType = iff(InitiatingProcessFileName in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe"), "BrowserInputInjection", "HIDKeystrokeInjection")
| order by TimeGenerated desc
| project TimeGenerated, DeviceName, AccountName, InjectionType, InitiatingProcessFileName,
    InitiatingProcessId, FileName, ProcessId, ProcessCommandLine, SHA256, ReportId

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate IT automation tools (AutoHotkey, AutoIt, SikuliX) used for desktop automation workflows that spawn PowerShell from shell processes
Software deployment systems (SCCM, PDQ Deploy, Ansible) that use explorer.exe as a parent during user-context deployments
Accessibility software (Dragon NaturallySpeaking, voice control tools) that simulate keystrokes to interact with applications
Developer tools and IDEs that programmatically open terminal sessions from browser-integrated development environments
Browser automation frameworks (Selenium, Puppeteer in non-headless mode) during legitimate QA testing that trigger child process creation

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ParentImage=lower(ParentImage), Image=lower(Image), CommandLine=lower(CommandLine)
| where (match(ParentImage, "(explorer\.exe|winlogon\.exe|userinit\.exe|sihost\.exe|taskhostw\.exe)$")
    AND match(Image, "(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe)$")
    AND (match(CommandLine, "(-encodedcommand|-enc |-e |iex|invoke-expression|downloadstring|downloadfile|frombase64string|-windowstyle hidden|-noprofile|-noninteractive)")))
    OR (match(ParentImage, "(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|brave\.exe)$")
    AND match(Image, "(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe)$"))
| eval InjectionType=case(
    match(ParentImage, "(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|brave\.exe)$"), "BrowserInputInjection",
    match(ParentImage, "(explorer\.exe|winlogon\.exe|userinit\.exe|sihost\.exe|taskhostw\.exe)$"), "HIDKeystrokeInjection",
    true(), "Unknown")
| table _time, host, User, InjectionType, ParentImage, ParentProcessId, Image, ProcessId, CommandLine, Hashes
| sort -_time

high severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Desktop automation scripts using AutoHotkey, AutoIt, or similar tools that legitimately simulate keystrokes and launch processes
Enterprise software deployment tools that use user-context process spawning via explorer.exe shell execution
Accessibility software and voice-to-text tools that use keystroke simulation to interact with desktop applications
Browser-integrated development tools or IDE browser plugins that spawn terminal windows for developer workflows
Legitimate RPA (Robotic Process Automation) software during normal business process automation

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1674*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

Legitimate IT automation tools (AutoHotkey, AutoIt, SikuliX) used for desktop automation workflows that spawn PowerShell from shell processes
Software deployment systems (SCCM, PDQ Deploy, Ansible) that use explorer.exe as a parent during user-context deployments
Accessibility software (Dragon NaturallySpeaking, voice control tools) that simulate keystrokes to interact with applications

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Legitimate IT automation tools (AutoHotkey, AutoIt, SikuliX) used for desktop automation workflows that spawn PowerShell from shell processes
Software deployment systems (SCCM, PDQ Deploy, Ansible) that use explorer.exe as a parent during user-context deployments
Accessibility software (Dragon NaturallySpeaking, voice control tools) that simulate keystrokes to interact with applications

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

Legitimate IT automation tools (AutoHotkey, AutoIt, SikuliX) used for desktop automation workflows that spawn PowerShell from shell processes
Software deployment systems (SCCM, PDQ Deploy, Ansible) that use explorer.exe as a parent during user-context deployments
Accessibility software (Dragon NaturallySpeaking, voice control tools) that simulate keystrokes to interact with applications

Google Chronicle / SecOps

yaral

rule detection_t1674 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Input Injection - T1674"
    severity = "HIGH"
    mitre_attack = "T1674"
    reference = "https://attack.mitre.org/techniques/T1674/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate IT automation tools (AutoHotkey, AutoIt, SikuliX) used for desktop automation workflows that spawn PowerShell from shell processes
Software deployment systems (SCCM, PDQ Deploy, Ansible) that use explorer.exe as a parent during user-context deployments
Accessibility software (Dragon NaturallySpeaking, voice control tools) that simulate keystrokes to interact with applications

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Legitimate IT automation tools (AutoHotkey, AutoIt, SikuliX) used for desktop automation workflows that spawn PowerShell from shell processes
Software deployment systems (SCCM, PDQ Deploy, Ansible) that use explorer.exe as a parent during user-context deployments
Accessibility software (Dragon NaturallySpeaking, voice control tools) that simulate keystrokes to interact with applications

Input Injection

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Execution

Popular Detections