1+ name : Windows Process Injection into Commonly Abused Processes
2+ id : 1e1dedc6-f6f3-41a0-9dd7-a1245904fe75
3+ version : 1
4+ date : ' 2025-03-19'
5+ author : 0xC0FFEEEE, Github Community
6+ type : Anomaly
7+ status : production
8+ data_source :
9+ - Sysmon EventID 10
10+ description : The following analytic detects process injection into executables that are commonly abused using
11+ Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff)
12+ to processes such as notepad.exe, wordpad.exe and calc.exe, excluding common system paths like System32, Syswow64, and Program
13+ Files. This behavior is often associated with the SliverC2 framework by BishopFox.
14+ Monitoring this activity is crucial as it may indicate an initial payload attempting
15+ to execute malicious code. If confirmed malicious, this could
16+ allow attackers to execute arbitrary code, potentially leading to privilege escalation
17+ or persistent access within the environment.
18+ search : ' `sysmon` EventCode=10 TargetImage IN ("*\\notepad.exe", "*\\wordpad.exe", "*\\calc.exe", "*\\mspaint.exe", "*\\lsass.exe", "*\\svchost.exe", "*\\backgroundtaskhost.exe", "*\\dllhost.exe", "*\\regsvr32.exe", "*\\searchprotocolhost.exe", "*\\werfault.exe", "*\\wuauclt.exe", "*\\spoolsv.exe", "*\\chrome.exe", "*\\edge.exe", "*\\firefox.exe") NOT (SourceImage IN ("*\\system32\\*","*\\syswow64\\*","*\\Program Files\\*", "*\\Program Files (x86)\\*")) GrantedAccess IN ("0x40","0x1fffff", "0x1f3fff")
19+ | stats values(user) as user, min(_time) as firstTime, max(_time) as lastTime, count by dest SourceImage TargetImage GrantedAccess CallTrace
20+ | eval CallTrace=split(CallTrace, "|")
21+ | `security_content_ctime(firstTime)`
22+ | `security_content_ctime(lastTime)`
23+ | table firstTime lastTime dest user SourceImage TargetImage GrantedAccess CallTrace count
24+ | `windows_process_injection_into_commonly_abused_processes_filter`'
25+ how_to_implement : To successfully implement this search, you need to be ingesting
26+ logs with the process name, parent process, and command-line executions from your
27+ endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the
28+ Sysmon TA.
29+ known_false_positives : False positives may be present based on SourceImage paths, particularly those with a legitimate reason for accessing lsass.exe or regsvr32.exe.
30+ If removing the paths is important, realize svchost and many native binaries inject
31+ into processes consistently. Restrict or tune as needed.
32+ references :
33+ - https://dominicbreuker.com/post/learning_sliver_c2_08_implant_basics/
34+ - https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
35+ - https://redcanary.com/threat-detection-report/techniques/process-injection/
36+ drilldown_searches :
37+ - name : View the detection results for - "$dest$"
38+ search : ' %original_detection_search% | search dest = "$dest$"'
39+ earliest_offset : $info_min_time$
40+ latest_offset : $info_max_time$
41+ - name : View risk events for the last 7 days for - "$dest$"
42+ search : ' | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
43+ starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
44+ values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
45+ as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
46+ as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
47+ | `security_content_ctime(lastTime)`'
48+ earliest_offset : $info_min_time$
49+ latest_offset : $info_max_time$
50+ rba :
51+ message : An instance of $SourceImage$ injecting into $TargetImage$ was identified
52+ on endpoint $dest$.
53+ risk_objects :
54+ - field : dest
55+ type : system
56+ score : 32
57+ threat_objects :
58+ - field : SourceImage
59+ type : process
60+ - field : TargetImage
61+ type : process
62+ tags :
63+ analytic_story :
64+ - BishopFox Sliver Adversary Emulation Framework
65+ asset_type : Endpoint
66+ mitre_attack_id :
67+ - T1055.002
68+ product :
69+ - Splunk Enterprise
70+ - Splunk Enterprise Security
71+ - Splunk Cloud
72+ security_domain : endpoint
73+ tests :
74+ - name : True Positive Test
75+ attack_data :
76+ - data :
77+ https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/T1055_windows-sysmon.log
78+ source : XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
79+ sourcetype : XmlWinEventLog
0 commit comments