Techniques
Sample rules
Windows Process Injection With Public Source Path
- source: splunk
- technicques:
- T1055
- T1055.002
Description
The following analytic identifies a process in a non-standard file path on Windows attempting to create a remote thread into a process. This Windows API,CreateRemoteThread, is commonly used by adversaries for process injection to evade detections or gain privilege escalation.
Detection logic
`sysmon` EventCode=8 TargetImage = "*.exe" AND NOT(SourceImage IN("C:\\Windows\\*", "C:\\Program File*", "%systemroot%\\*"))
| stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage signature TargetProcessGuid SourceProcessGuid TargetProcessId SourceProcessId StartAddress EventCode dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_process_injection_with_public_source_path_filter`