EXPLORE
Sign In
← Back to Explore
T1055

Process Injection

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a le...

LinuxmacOSWindows
76
Detections
3
Sources
15
Threat Actors

BY SOURCE

27splunk_escu25elastic24sigma

PROCEDURES (48)

Lateral5 detections

Auto-extracted: 5 detections for lateral

C25 detections

Auto-extracted: 5 detections for c2

Child Process4 detections

Auto-extracted: 4 detections for child process

Remote Thread4 detections

Auto-extracted: 4 detections for remote thread

General Monitoring4 detections

Auto-extracted: 4 detections for general monitoring

Inject3 detections

Auto-extracted: 3 detections for inject

Inject2 detections

Auto-extracted: 2 detections for inject

Command And Control2 detections

Auto-extracted: 2 detections for command and control

Dump2 detections

Auto-extracted: 2 detections for dump

Command And Control2 detections

Auto-extracted: 2 detections for command and control

Privilege2 detections

Auto-extracted: 2 detections for privilege

Child Process2 detections

Auto-extracted: 2 detections for child process

Base642 detections

Auto-extracted: 2 detections for base64

Powershell2 detections

Auto-extracted: 2 detections for powershell

C22 detections

Auto-extracted: 2 detections for c2

Privilege1 detections

Auto-extracted: 1 detections for privilege

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Evasion1 detections

Auto-extracted: 1 detections for evasion

Bypass1 detections

Auto-extracted: 1 detections for bypass

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Hollow1 detections

Auto-extracted: 1 detections for hollow

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Process Access1 detections

Auto-extracted: 1 detections for process access

Hollow1 detections

Auto-extracted: 1 detections for hollow

Child Process1 detections

Auto-extracted: 1 detections for child process

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Service1 detections

Auto-extracted: 1 detections for service

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Service1 detections

Auto-extracted: 1 detections for service

Evasion1 detections

Auto-extracted: 1 detections for evasion

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Process Access1 detections

Auto-extracted: 1 detections for process access

Evasion1 detections

Auto-extracted: 1 detections for evasion

Hollow1 detections

Auto-extracted: 1 detections for hollow

Bypass1 detections

Auto-extracted: 1 detections for bypass

Named Pipe1 detections

Auto-extracted: 1 detections for named pipe

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Dump1 detections

Auto-extracted: 1 detections for dump

Named Pipe1 detections

Auto-extracted: 1 detections for named pipe

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Inject1 detections

Auto-extracted: 1 detections for inject

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Token1 detections

Auto-extracted: 1 detections for token

Unusual1 detections

Auto-extracted: 1 detections for unusual

THREAT ACTORS (15)

APT32APT37APT38APT41APT5BlackByteCobalt GroupGamaredon GroupKimsukyPLATINUMSilenceTA2541TurlaVelvet AntWizard Spider

DETECTIONS (76)

Cisco NVM - Non-Network Binary Making Network Connection
splunk_escu
Cisco NVM - Suspicious Network Connection From Process With No Args
splunk_escu
Cisco Secure Firewall - Communication Over Suspicious Ports
splunk_escu
CobaltStrike Named Pipe
sigmacritical
CobaltStrike Named Pipe Pattern Regex
sigmacritical
CobaltStrike Named Pipe Patterns
sigmahigh
Conhost Spawned By Suspicious Parent Process
elastichigh
Create Remote Thread In Shell Application
splunk_escu
Created Files by Microsoft Sync Center
sigmamedium
DLLHost with no Command Line Arguments with Network
splunk_escu
Dllhost.EXE Execution Anomaly
sigmahigh
DotNet CLR DLL Loaded By Scripting Applications
sigmahigh
GPUpdate with no Command Line Arguments with Network
splunk_escu
HackTool - CoercedPotato Execution
sigmahigh
HackTool - CoercedPotato Named Pipe Creation
sigmahigh
HackTool - DInjector PowerShell Cradle Execution
sigmacritical
HackTool - EfsPotato Named Pipe Creation
sigmahigh
Linux Process Hooking via GDB
elasticlow
Malicious Named Pipe Created
sigmacritical
Memory Threat - Detected - Elastic Defend
elastichigh
Memory Threat - Prevented- Elastic Defend
elastichigh
Microsoft Sync Center Suspicious Network Connections
sigmamedium
Network Connection Initiated Via Notepad.EXE
sigmahigh
Notepad with no Command Line Arguments
splunk_escu
Potential DLL Sideloading Using Coregen.exe
sigmamedium
Potential PowerShell HackTool Script by Function Names
elasticmedium
Potential Process Injection Via Msra.EXE
sigmahigh
Potential Process Injection via PowerShell
elastichigh
Potential Sudo Token Manipulation via Process Injection
elasticmedium
Powershell Fileless Process Injection via GetProcAddress
splunk_escu
Powershell Remote Thread To Known Windows Process
splunk_escu
PowerShell ShellCode
sigmahigh
Privilege Escalation via GDB CAP_SYS_PTRACE
elasticmedium
Process Creation Using Sysnative Folder
sigmamedium
Process Injection - Detected - Elastic Endgame
elastichigh
Process Injection - Prevented - Elastic Endgame
elasticmedium
Process Injection by the Microsoft Build Engine
elasticlow
Rare Remote Thread Creation By Uncommon Source Image
sigmahigh
Remote Thread Creation By Uncommon Source Image
sigmamedium
Root Network Connection via GDB CAP_SYS_PTRACE
elasticmedium
Rundll32 Create Remote Thread To A Process
splunk_escu
Rundll32 CreateRemoteThread In Browser
splunk_escu
SearchProtocolHost with no Command Line with Network
splunk_escu
Suspect Svchost Activity
sigmahigh
Suspicious .NET Reflection via PowerShell
elasticmedium
Suspicious Child Process Of Wermgr.EXE
sigmahigh
Suspicious Communication App Child Process
elasticmedium
Suspicious DLLHost no Command Line Arguments
splunk_escu
Suspicious Endpoint Security Parent Process
elasticmedium
Suspicious GPUpdate no Command Line Arguments
splunk_escu
Suspicious Managed Code Hosting Process
elastichigh
Suspicious Portable Executable Encoded in Powershell Script
elasticmedium
Suspicious Process Access via Direct System Call
elastichigh
Suspicious Process Creation CallTrace
elasticmedium
Suspicious Rundll32 Invoking Inline VBScript
sigmahigh
Suspicious SearchProtocolHost no Command Line Arguments
splunk_escu
Suspicious Userinit Child Process
sigmamedium
Suspicious Zoom Child Process
elasticmedium
Trickbot Named Pipe
splunk_escu
Uncommon Svchost Command Line Parameter
sigmahigh
Unusual Child Process from a System Virtual Process
elastichigh
Unusual Linux Network Activity
elasticlow
Unusual Parent-Child Relationship
elasticmedium
Unusual Service Host Child Process - Childless Service
elasticmedium
Unusual Windows Network Activity
elasticlow
Windows List ENV Variables Via SET Command From Uncommon Parent
splunk_escu
Windows Process Injection In Non-Service SearchIndexer
splunk_escu
Windows Process Injection Wermgr Child Process
splunk_escu
Windows Process With NamedPipe CommandLine
splunk_escu
Windows PUA Named Pipe
splunk_escu
Windows Remote Assistance Spawning Process
splunk_escu
Windows RMM Named Pipe
splunk_escu
Windows Suspicious C2 Named Pipe
splunk_escu
Windows Suspicious Named Pipe
splunk_escu
Winhlp32 Spawning a Process
splunk_escu
Wscript Or Cscript Suspicious Child Process
splunk_escu