Techniques
Sample rules
Windows Process Injection into Commonly Abused Processes
- source: splunk
- technicques:
- T1055.002
Description
The following analytic detects process injection into executables that are commonly abused using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to processes such as notepad.exe, wordpad.exe and calc.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.
Detection logic
`sysmon` EventCode=10 TargetImage IN ("*\\notepad.exe", "*\\wordpad.exe", "*\\calc.exe", "*\\mspaint.exe", "*\\lsass.exe", "*\\svchost.exe", "*\\backgroundtaskhost.exe", "*\\dllhost.exe", "*\\regsvr32.exe", "*\\searchprotocolhost.exe", "*\\werfault.exe", "*\\wuauclt.exe", "*\\spoolsv.exe", "*\\chrome.exe", "*\\edge.exe", "*\\firefox.exe") NOT (SourceImage IN ("*\\system32\\*","*\\syswow64\\*","*\\Program Files\\*", "*\\Program Files (x86)\\*")) GrantedAccess IN ("0x40","0x1fffff", "0x1f3fff")
| stats values(user) as user, min(_time) as firstTime, max(_time) as lastTime, count by dest SourceImage TargetImage GrantedAccess CallTrace
| eval CallTrace=split(CallTrace, "
|")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime dest user SourceImage TargetImage GrantedAccess CallTrace count
| `windows_process_injection_into_commonly_abused_processes_filter`