ATT&CK coverage › Technique

Process Injection `T1055`

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Events covered

12 catalog events are tagged with this technique by at least one rule.

Provider	Event ID	Title
Sysmon	1	Process creation
Sysmon	3	Network connection
Sysmon	7	Image loaded
Sysmon	8	CreateRemoteThread
Sysmon	10	ProcessAccess
Sysmon	11	FileCreate
Sysmon	17	PipeEvent (Pipe Created)
Sysmon	18	PipeEvent (Pipe Connected)
Security-Auditing	4688	A new process has been created.
Security-Auditing	5145	A network share object was checked to see whether client can be granted desired access.
Defender-DeviceEvents	9007006	Named pipe event
PowerShell	4104	Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 43 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (23 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`Image`	18	`ends_with` 15, `eq` 4, `match` 3, `starts_with` 1, `is_null` 1	`\mobsync.exe`, `\svchost.exe`, `"*\\rundll32.exe"`, `:\Program Files\Websense\`, `:\Program Files (x86)\Websense\`
`CommandLine`	12	`match` 7, `is_null` 3, `eq` 3, `regex_match` 2, `in` 2, `ends_with` 1	`svchost.exe`, `dllhost`, `dllhost.exe`, `--exploitId` , `/password`
`EventID`	10	`eq` 8, `in` 2	`17`, `18`, `8`, `4104`
`PipeName`	8	`match` 4, `starts_with` 3, `eq` 3, `regex_match` 2, `ends_with` 1	`[a-fA-F0-9]{2,10}$`, `CobaltStrikeMallable`, `CobaltStrikeDefaults`, `-server`, `\status_`
`TargetImage`	7	`eq` 4, `in` 3, `starts_with` 2, `ends_with` 1, `is_null` 1, `match` 1	`?:\WINDOWS\system32\lsass.exe`, `C:\Program Files\`, `C:\Windows\System32\svchost.exe`, `C:\Windows\explorer.exe`, `C:\Windows\System32\LogonUI.exe`
`ParentImage`	5	`ends_with` 5	`\msra.exe`, `\rpcnetp.exe`, `\rpcnet.exe`, `\wermgr.exe`, `\userinit.exe`
`process_name`	4	`eq` 4	`MSBuild.exe`, `dllhost.exe`, `gpupdate.exe`, `searchprotocolhost.exe`
`DestinationPort`	4	`ne` 3, `eq` 1	`0`, `9100`
`tool`	4	`is_not_null` 4
`OriginalFileName`	3	`eq` 3	`explorer.exe`, `dllhost.exe`, `searchprotocolhost.exe`
`parent_process_name`	2	`eq` 1, `in` 1	`regsvr32.exe`, `fltldr.exe`, `msxsl.exe`, `"powershell.exe"`, `"powershell_ise.exe"`
`ImageLoaded`	2	`ends_with` 1, `starts_with` 1	`\clr.dll`, `\mscoree.dll`, `\mscorlib.dll`, `C:\Windows\System32\`, `C:\Program Files\Microsoft Silverlight\`
`ScriptBlockText`	2	`match` 1, `eq` 1	`OiJAAAAYInlM`, `OiCAAAAYInlM`, `getprocaddress`
`Provider_Name`	1	`eq` 1	`Microsoft-Windows-Sysmon`
`CallTrace`	1	`match` 1	`UNKNOWN`

Top indicator values (360 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

Field	Kind	Value	Rules (here)	Corpus reach
`EventID`	`eq`	`8`	4	8
`Image`	`ends_with`	`\cscript.exe`	3	64
`Image`	`ends_with`	`\regsvr32.exe`	3	57
`Image`	`ends_with`	`\mshta.exe`	3	57
`Image`	`ends_with`	`\wscript.exe`	3	64
`DestinationPort`	`ne`	`0`	3	6
`EventID`	`eq`	`17`	3	3
`EventID`	`eq`	`18`	3	3
`Image`	`ends_with`	`\mobsync.exe`	2	2
`Image`	`ends_with`	`\wmic.exe`	2	37
`Image`	`ends_with`	`\netstat.exe`	2	5
`Image`	`ends_with`	`\whoami.exe`	2	18
`Image`	`ends_with`	`\cmd.exe`	2	92
`Image`	`ends_with`	`\nslookup.exe`	2	4
`Image`	`ends_with`	`\net.exe`	2	27
`Image`	`ends_with`	`\schtasks.exe`	2	45
`TargetImage`	`starts_with`	`C:\Program Files (x86)\`	2	2
`TargetImage`	`starts_with`	`C:\Program Files\`	2	2
`TargetImage`	`eq`	`C:\Windows\System32\conhost.exe`	2	2
`TargetImage`	`eq`	`System`	2	2

Common exclusions (47 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

Field	Kind	Value	Rules excluding
`process_name`	`in`	`"*:\\Windows\\System32\\svchost.exe"`	4
`process_name`	`in`	`"\\AppData\\Local\\Microsoft"`	4
`process_name`	`in`	`":\\Program Files\\Microsoft"`	4
`process_name`	`in`	`":\\Program Files $x86$\\Microsoft"`	4
`process_name`	`in`	`":\\Program Files $x86$\\Adobe"`	4
`process_name`	`in`	`"*:\\Windows\\system32\\SearchIndexer.exe"`	4
`process_name`	`in`	`":\\Windows\\SystemApps\\Microsoft"`	4
`process_name`	`in`	`":\\Program Files $x86$\\Google"`	4
`process_name`	`in`	`":\\Program Files\\Adobe"`	4
`process_name`	`in`	`"\\AppData\\Local\\Google"`	4
`process_name`	`in`	`"\\AppData\\Local\\Kingsoft\\"`	4
`process_name`	`in`	`"\\Amazon\\SSM\\Instance"`	4
`process_name`	`in`	`":\\Program Files\\Google"`	4
`process_name`	`in`	`"System"`	4
`CallTrace`	`wildcard`	`?:\ProgramData\Symantec\Symantec Endpoint Protection\\sysfer.dll`	1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 24 rules

CobaltStrike Named Pipe severity critical, 2 events, 12 indicators, 0 exclusions
CobaltStrike Named Pipe Pattern Regex severity critical, 2 events, 19 indicators, 0 exclusions
CobaltStrike Named Pipe Patterns severity high, 2 events, 35 indicators, 0 exclusions
Created Files by Microsoft Sync Center severity medium, 1 event, 3 indicators, 0 exclusions
Dllhost.EXE Execution Anomaly severity high, 2 events, 3 indicators, 0 exclusions
DotNet CLR DLL Loaded By Scripting Applications severity high, 1 event, 10 indicators, 0 exclusions
HackTool - CoercedPotato Execution severity high, 1 event, 5 indicators, 0 exclusions
HackTool - CoercedPotato Named Pipe Creation severity high, 2 events, 1 indicator, 0 exclusions
HackTool - DInjector PowerShell Cradle Execution severity critical, 2 events, 2 indicators, 0 exclusions
HackTool - EfsPotato Named Pipe Creation severity high, 2 events, 4 indicators, 0 exclusions
Malicious Named Pipe Created severity critical, 2 events, 27 indicators, 0 exclusions
Microsoft Sync Center Suspicious Network Connections severity medium, 1 event, 9 indicators, 0 exclusions
Network Connection Initiated Via Notepad.EXE severity high, 1 event, 2 indicators, 0 exclusions
Potential DLL Sideloading Using Coregen.exe severity medium, 1 event, 5 indicators, 0 exclusions
Potential Process Injection Via Msra.EXE severity high, 1 event, 10 indicators, 0 exclusions
PowerShell ShellCode severity high, 1 event, 2 indicators, 0 exclusions
Process Creation Using Sysnative Folder severity medium, 2 events, 11 indicators, 0 exclusions
Rare Remote Thread Creation By Uncommon Source Image severity high, 1 event, 57 indicators, 0 exclusions
Remote Thread Creation By Uncommon Source Image severity medium, 1 event, 51 indicators, 0 exclusions
Suspect Svchost Activity severity high, 2 events, 4 indicators, 0 exclusions
Suspicious Child Process Of Wermgr.EXE severity high, 2 events, 21 indicators, 0 exclusions
Suspicious Rundll32 Invoking Inline VBScript severity high, 2 events, 4 indicators, 0 exclusions
Suspicious Userinit Child Process severity medium, 1 event, 5 indicators, 0 exclusions
Uncommon Svchost Command Line Parameter severity high, 2 events, 6 indicators, 0 exclusions

Elastic 3 rules

Process Injection by the Microsoft Build Engine 1 event, 2 indicators, 0 exclusions
Suspicious Process Access via Direct System Call 1 event, 1 indicator, 4 exclusions
Suspicious Process Creation CallTrace 2 events, 17 indicators, 11 exclusions

Splunk 13 rules

Create Remote Thread In Shell Application 1 event, 4 indicators, 0 exclusions
DLLHost with no Command Line Arguments with Network 2 events, 6 indicators, 0 exclusions
GPUpdate with no Command Line Arguments with Network 2 events, 3 indicators, 0 exclusions
Powershell Fileless Process Injection via GetProcAddress 1 event, 2 indicators, 0 exclusions
Powershell Remote Thread To Known Windows Process 1 event, 14 indicators, 0 exclusions
Rundll32 Create Remote Thread To A Process 1 event, 3 indicators, 0 exclusions
Rundll32 CreateRemoteThread In Browser 1 event, 6 indicators, 0 exclusions
SearchProtocolHost with no Command Line with Network 2 events, 6 indicators, 0 exclusions
Trickbot Named Pipe 2 events, 3 indicators, 0 exclusions
Windows PUA Named Pipe 2 events, 2 indicators, 1 exclusion
Windows RMM Named Pipe 2 events, 2 indicators, 1 exclusion
Windows Suspicious C2 Named Pipe 2 events, 2 indicators, 1 exclusion
Windows Suspicious Named Pipe 2 events, 2 indicators, 1 exclusion

Kusto Query Language 3 rules

Powershell Empire Cmdlets Executed in Command Line 1 event, 0 indicators, 0 exclusions
Solorigate Named Pipe 3 events, 0 indicators, 0 exclusions
Suspicious named pipes 3 events, 11 indicators, 0 exclusions

Process Injection T1055