EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Windows Process Injection into Commonly Abused Processes

The following analytic detects process injection into executables that are commonly abused using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to processes such as notepad.exe, wordpad.exe and calc.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.

MITRE ATT&CK

T1055.002
defense-evasionprivilege-escalation

Detection Query

`sysmon`
EventCode=10
TargetImage IN (
    "*\\backgroundtaskhost.exe",
    "*\\calc.exe",
    "*\\CalculatorApp.exe",
    "*\\chrome.exe",
    "*\\dllhost.exe",
    "*\\edge.exe",
    "*\\firefox.exe",
    "*\\lsass.exe",
    "*\\mspaint.exe",
    "*\\notepad.exe",
    "*\\regsvr32.exe",
    "*\\searchprotocolhost.exe",
    "*\\spoolsv.exe",
    "*\\svchost.exe",
    "*\\werfault.exe",
    "*\\win32calc.exe",
    "*\\wordpad.exe",
    "*\\wuauclt.exe"
)

NOT SourceImage IN (
    "*:\\Windows\\Program Files (x86)\\*",
    "*:\\Windows\\Program Files\\*",
    "*:\\Windows\\System32\\*",
    "*:\\Windows\\SysWOW64\\*"
)

GrantedAccess IN (
    "0x1f3fff",
    "0x1fffff",
    "0x40"
)

| stats values(user) as user
        min(_time) as firstTime
        max(_time) as lastTime count
by dest user_id parent_process_name parent_process_guid
   process_name process_guid process_id signature SourceImage
   TargetImage GrantedAccess CallTrace

| eval CallTrace=split(CallTrace, "|")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime dest user_id parent_process_name parent_process_guid process_name process_guid process_id signature SourceImage TargetImage GrantedAccess CallTrace
| `windows_process_injection_into_commonly_abused_processes_filter`

Author

0xC0FFEEEE, Github Community

Created

2026-03-10

Data Sources

Sysmon EventID 10

References

Tags

BishopFox Sliver Adversary Emulation FrameworkEarth AluxSAP NetWeaver ExploitationAPT37 Rustonotto and FadeStealer
Raw Content
name: Windows Process Injection into Commonly Abused Processes
id: 1e1dedc6-f6f3-41a0-9dd7-a1245904fe75
version: 6
date: '2026-03-10'
author: 0xC0FFEEEE, Github Community
type: Anomaly
status: production
data_source:
    - Sysmon EventID 10
description: The following analytic detects process injection into executables that are commonly abused using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to processes such as notepad.exe, wordpad.exe and calc.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.
search: |-
    `sysmon`
    EventCode=10
    TargetImage IN (
        "*\\backgroundtaskhost.exe",
        "*\\calc.exe",
        "*\\CalculatorApp.exe",
        "*\\chrome.exe",
        "*\\dllhost.exe",
        "*\\edge.exe",
        "*\\firefox.exe",
        "*\\lsass.exe",
        "*\\mspaint.exe",
        "*\\notepad.exe",
        "*\\regsvr32.exe",
        "*\\searchprotocolhost.exe",
        "*\\spoolsv.exe",
        "*\\svchost.exe",
        "*\\werfault.exe",
        "*\\win32calc.exe",
        "*\\wordpad.exe",
        "*\\wuauclt.exe"
    )

    NOT SourceImage IN (
        "*:\\Windows\\Program Files (x86)\\*",
        "*:\\Windows\\Program Files\\*",
        "*:\\Windows\\System32\\*",
        "*:\\Windows\\SysWOW64\\*"
    )

    GrantedAccess IN (
        "0x1f3fff",
        "0x1fffff",
        "0x40"
    )

    | stats values(user) as user
            min(_time) as firstTime
            max(_time) as lastTime count
    by dest user_id parent_process_name parent_process_guid
       process_name process_guid process_id signature SourceImage
       TargetImage GrantedAccess CallTrace

    | eval CallTrace=split(CallTrace, "|")
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | table firstTime lastTime dest user_id parent_process_name parent_process_guid process_name process_guid process_id signature SourceImage TargetImage GrantedAccess CallTrace
    | `windows_process_injection_into_commonly_abused_processes_filter`
how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
known_false_positives: False positives may be present based on SourceImage paths, particularly those with a legitimate reason for accessing lsass.exe or regsvr32.exe. If removing the paths is important, realize svchost and many native binaries inject into processes consistently. Restrict or tune as needed.
references:
    - https://dominicbreuker.com/post/learning_sliver_c2_08_implant_basics/
    - https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
    - https://redcanary.com/threat-detection-report/techniques/process-injection/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: An instance of $SourceImage$ injecting into $TargetImage$ was identified on endpoint $dest$.
    risk_objects:
        - field: dest
          type: system
          score: 20
    threat_objects:
        - field: SourceImage
          type: process
        - field: TargetImage
          type: process
tags:
    analytic_story:
        - BishopFox Sliver Adversary Emulation Framework
        - Earth Alux
        - SAP NetWeaver Exploitation
        - APT37 Rustonotto and FadeStealer
    asset_type: Endpoint
    mitre_attack_id:
        - T1055.002
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/T1055_windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog