EXPLORE
Sign In
← Back to Explore
T1055

Process Injection

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a le...

LinuxmacOSWindows
79
Detections
3
Sources
15
Threat Actors

BY SOURCE

27sigma27splunk_escu25elastic

PROCEDURES (51)

General Monitoring4 detections

Auto-extracted: 4 detections for general monitoring

Remote Thread3 detections

Auto-extracted: 3 detections for remote thread

Inject3 detections

Auto-extracted: 3 detections for inject

C22 detections

Auto-extracted: 2 detections for c2

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Command And Control2 detections

Auto-extracted: 2 detections for command and control

Lateral2 detections

Auto-extracted: 2 detections for lateral

Privilege2 detections

Auto-extracted: 2 detections for privilege

Privilege2 detections

Auto-extracted: 2 detections for privilege

Inject2 detections

Auto-extracted: 2 detections for inject

Child Process2 detections

Auto-extracted: 2 detections for child process

Child Process2 detections

Auto-extracted: 2 detections for child process

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Process Access1 detections

Auto-extracted: 1 detections for process access

Child Process1 detections

Auto-extracted: 1 detections for child process

Named Pipe1 detections

Auto-extracted: 1 detections for named pipe

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Powershell1 detections

Auto-extracted: 1 detections for powershell

Named Pipe1 detections

Auto-extracted: 1 detections for named pipe

Inject1 detections

Auto-extracted: 1 detections for inject

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Api1 detections

Auto-extracted: 1 detections for api

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Persist1 detections

Auto-extracted: 1 detections for persist

C21 detections

Auto-extracted: 1 detections for c2

Hollow1 detections

Auto-extracted: 1 detections for hollow

Base641 detections

Auto-extracted: 1 detections for base64

Process Access1 detections

Auto-extracted: 1 detections for process access

Hollow1 detections

Auto-extracted: 1 detections for hollow

Child Process1 detections

Auto-extracted: 1 detections for child process

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Service1 detections

Auto-extracted: 1 detections for service

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Service1 detections

Auto-extracted: 1 detections for service

Evasion1 detections

Auto-extracted: 1 detections for evasion

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Evasion1 detections

Auto-extracted: 1 detections for evasion

Bypass1 detections

Auto-extracted: 1 detections for bypass

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Hollow1 detections

Auto-extracted: 1 detections for hollow

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Base641 detections

Auto-extracted: 1 detections for base64

Child Process1 detections

Auto-extracted: 1 detections for child process

Unusual1 detections

Auto-extracted: 1 detections for unusual

Process Access1 detections

Auto-extracted: 1 detections for process access

Shellcode1 detections

Auto-extracted: 1 detections for shellcode

Inject1 detections

Auto-extracted: 1 detections for inject

Shellcode1 detections

Auto-extracted: 1 detections for shellcode

THREAT ACTORS (15)

APT32APT37APT38APT41APT5BlackByteCobalt GroupGamaredon GroupKimsukyPLATINUMSilenceTA2541TurlaVelvet AntWizard Spider

DETECTIONS (79)

Cisco NVM - Non-Network Binary Making Network Connection
splunk_escu
Cisco NVM - Suspicious Network Connection From Process With No Args
splunk_escu
Cisco Secure Firewall - Communication Over Suspicious Ports
splunk_escu
CobaltStrike Named Pipe
sigmacritical
CobaltStrike Named Pipe Pattern Regex
sigmacritical
CobaltStrike Named Pipe Patterns
sigmahigh
Conhost Spawned By Suspicious Parent Process
elastichigh
Create Remote Thread In Shell Application
splunk_escu
Created Files by Microsoft Sync Center
sigmamedium
DLLHost with no Command Line Arguments with Network
splunk_escu
Dllhost.EXE Execution Anomaly
sigmahigh
DotNet CLR DLL Loaded By Scripting Applications
sigmahigh
GPUpdate with no Command Line Arguments with Network
splunk_escu
HackTool - CoercedPotato Execution
sigmahigh
HackTool - CoercedPotato Named Pipe Creation
sigmahigh
HackTool - DInjector PowerShell Cradle Execution
sigmacritical
HackTool - EfsPotato Named Pipe Creation
sigmahigh
Linux Process Hooking via GDB
elasticlow
Malicious Named Pipe Created
sigmacritical
Memory Threat - Detected - Elastic Defend
elastichigh
Memory Threat - Prevented- Elastic Defend
elastichigh
Microsoft Sync Center Suspicious Network Connections
sigmamedium
Network Connection Initiated Via Notepad.EXE
sigmahigh
Notepad with no Command Line Arguments
splunk_escu
Potential DLL Sideloading Using Coregen.exe
sigmamedium
Potential Executable Run Itself As Sacrificial Process
sigmalow
Potential PowerShell HackTool Script by Function Names
elasticmedium
Potential Process Injection Via Msra.EXE
sigmahigh
Potential Process Injection via PowerShell
elastichigh
Potential Shellcode Injection
sigmamedium
Potential Sudo Token Manipulation via Process Injection
elasticmedium
Powershell Fileless Process Injection via GetProcAddress
splunk_escu
Powershell Remote Thread To Known Windows Process
splunk_escu
PowerShell ShellCode
sigmahigh
Privilege Escalation via GDB CAP_SYS_PTRACE
elasticmedium
Process Creation Using Sysnative Folder
sigmamedium
Process Injection - Detected - Elastic Endgame
elastichigh
Process Injection - Prevented - Elastic Endgame
elasticmedium
Process Injection by the Microsoft Build Engine
elasticlow
Rare Remote Thread Creation By Uncommon Source Image
sigmahigh
Remote Thread Created In Shell Application
sigmamedium
Remote Thread Creation By Uncommon Source Image
sigmamedium
Root Network Connection via GDB CAP_SYS_PTRACE
elasticmedium
Rundll32 Create Remote Thread To A Process
splunk_escu
Rundll32 CreateRemoteThread In Browser
splunk_escu
SearchProtocolHost with no Command Line with Network
splunk_escu
Suspect Svchost Activity
sigmahigh
Suspicious .NET Reflection via PowerShell
elasticmedium
Suspicious Child Process Of Wermgr.EXE
sigmahigh
Suspicious Communication App Child Process
elasticmedium
Suspicious DLLHost no Command Line Arguments
splunk_escu
Suspicious Endpoint Security Parent Process
elasticmedium
Suspicious GPUpdate no Command Line Arguments
splunk_escu
Suspicious Managed Code Hosting Process
elastichigh
Suspicious Portable Executable Encoded in Powershell Script
elasticmedium
Suspicious Process Access via Direct System Call
elastichigh
Suspicious Process Creation CallTrace
elasticmedium
Suspicious Rundll32 Invoking Inline VBScript
sigmahigh
Suspicious SearchProtocolHost no Command Line Arguments
splunk_escu
Suspicious Userinit Child Process
sigmamedium
Suspicious Zoom Child Process
elasticmedium
Trickbot Named Pipe
splunk_escu
Uncommon Svchost Command Line Parameter
sigmahigh
Unusual Child Process from a System Virtual Process
elastichigh
Unusual Linux Network Activity
elasticlow
Unusual Parent-Child Relationship
elasticmedium
Unusual Service Host Child Process - Childless Service
elasticmedium
Unusual Windows Network Activity
elasticlow
Windows List ENV Variables Via SET Command From Uncommon Parent
splunk_escu
Windows Process Injection In Non-Service SearchIndexer
splunk_escu
Windows Process Injection Wermgr Child Process
splunk_escu
Windows Process With NamedPipe CommandLine
splunk_escu
Windows PUA Named Pipe
splunk_escu
Windows Remote Assistance Spawning Process
splunk_escu
Windows RMM Named Pipe
splunk_escu
Windows Suspicious C2 Named Pipe
splunk_escu
Windows Suspicious Named Pipe
splunk_escu
Winhlp32 Spawning a Process
splunk_escu
Wscript Or Cscript Suspicious Child Process
splunk_escu