LoFP / false positives may be present based on sourceimage paths. if removing the paths is important, realize svchost and many native binaries inject into notepad consistently. restrict or tune as needed.

Techniques

• T1055
• T1055.002

Sample rules

Windows Process Injection into Notepad

• source: splunk
• technicques:
  • T1055
  • T1055.002

Description

The following analytic utilizes Sysmon to identify process injection into Notepad.exe, based on GrantedAccess requests - 0x40 and 0x1fffff. This particular behavior is attributed to the defaults of the SliverC2 framework by BishopFox. By default, the analytic filters out any SourceImage paths of System32, Syswow64 and program files. Add more as needed, or remove and monitor what is consistently injecting into notepad.exe. This particular behavior will occur from a source image that is the initial payload dropped.

Detection logic

`sysmon` EventCode=10 TargetImage IN (*\\notepad.exe) NOT (SourceImage IN ("*\\system32\\*","*\\syswow64\\*","*\\Program Files\\*")) GrantedAccess IN ("0x40","0x1fffff") 
| stats count min(_time) as firstTime max(_time) as lastTime by dest SourceImage TargetImage GrantedAccess CallTrace 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_process_injection_into_notepad_filter`