detection.wiki

Detection rules › Splunk

Windows Process Injection into Commonly Abused Processes

Author
0xC0FFEEEE, Github Community
Source
upstream

The following analytic detects process injection into executables that are commonly abused using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to processes such as notepad.exe, wordpad.exe and calc.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1055.002 Process Injection: Portable Executable Injection
Defense EvasionT1055.002 Process Injection: Portable Executable Injection

Event coverage

ProviderEvent IDTitle
Sysmon10ProcessAccess

Stages and Predicates

Stage 1: search

search NOT SourceImage IN ("*:\\Windows\\Program Files (x86)\\*", "*:\\Windows\\Program Files\\*", "*:\\Windows\\SysWOW64\\*", "*:\\Windows\\System32\\*") EventCode=10 GrantedAccess IN ("0x1f3fff", "0x1fffff", "0x40") TargetImage IN ("*\\CalculatorApp.exe", "*\\backgroundtaskhost.exe", "*\\calc.exe", "*\\chrome.exe", "*\\dllhost.exe", "*\\edge.exe", "*\\firefox.exe", "*\\lsass.exe", "*\\mspaint.exe", "*\\notepad.exe", "*\\regsvr32.exe", "*\\searchprotocolhost.exe", "*\\spoolsv.exe", "*\\svchost.exe", "*\\werfault.exe", "*\\win32calc.exe", "*\\wordpad.exe", "*\\wuauclt.exe")

Stage 2: stats

stats BY dest, user_id, parent_process_name, parent_process_guid, process_name, process_guid, process_id, signature, SourceImage, TargetImage, GrantedAccess, CallTrace

Stage 3: eval

eval ...

Stage 4: search

search

Stage 5: search

search

Stage 6: table

table CallTrace, GrantedAccess, SourceImage, TargetImage, dest, firstTime, lastTime, parent_process_guid, parent_process_name, process_guid, process_id, process_name, signature, user_id

Stage 7: search

search `macro`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

StageFieldKindExcluded values
1Imagein"*:\\Windows\\Program Files (x86)\\*", "*:\\Windows\\Program Files\\*", "*:\\Windows\\SysWOW64\\*", "*:\\Windows\\System32\\*"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 10 corpus 14 (splunk 14)
GrantedAccessin
  • "0x1f3fff"
  • "0x1fffff" corpus 4 (splunk 4)
  • "0x40" corpus 3 (splunk 3)
TargetImagein
  • "*\\CalculatorApp.exe" corpus 2 (splunk 2)
  • "*\\backgroundtaskhost.exe"
  • "*\\calc.exe" corpus 2 (splunk 2)
  • "*\\chrome.exe" corpus 3 (splunk 3)
  • "*\\dllhost.exe"
  • "*\\edge.exe"
  • "*\\firefox.exe" corpus 3 (splunk 3)
  • "*\\lsass.exe"
  • "*\\mspaint.exe"
  • "*\\notepad.exe" corpus 2 (splunk 2)
  • "*\\regsvr32.exe"
  • "*\\searchprotocolhost.exe"
  • "*\\spoolsv.exe" corpus 3 (splunk 3)
  • "*\\svchost.exe" corpus 2 (splunk 2)
  • "*\\werfault.exe"
  • "*\\win32calc.exe" corpus 2 (splunk 2)
  • "*\\wordpad.exe"
  • "*\\wuauclt.exe"