detection.wiki

Detection rules › Splunk

Windows Process Injection into Notepad

Author
Michael Haag, Splunk
Source
upstream

The following analytic detects process injection into Notepad.exe using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to Notepad.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code within Notepad.exe. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1055.002 Process Injection: Portable Executable Injection
Defense EvasionT1055.002 Process Injection: Portable Executable Injection

Event coverage

ProviderEvent IDTitle
Sysmon10ProcessAccess

Stages and Predicates

Stage 1: search

search NOT SourceImage IN ("*\\Program Files\\*", "*\\system32\\*", "*\\syswow64\\*") EventCode=10 GrantedAccess IN ("0x1fffff", "0x40") TargetImage="*\\\\notepad.exe"

Stage 2: stats

stats BY CallTrace, EventID, GrantedAccess, Guid, Opcode, ProcessID, SecurityID, SourceImage, SourceProcessGUID, SourceProcessId, TargetImage, TargetProcessGUID, TargetProcessId, UserID, dest, granted_access, parent_process_exec, parent_process_guid, parent_process_id, parent_process_name, parent_process_path, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product

Stage 3: search

search

Stage 4: search

search

Stage 5: search

search `macro`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

StageFieldKindExcluded values
1Imagein"*\\Program Files\\*", "*\\system32\\*", "*\\syswow64\\*"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 10 corpus 14 (splunk 14)
GrantedAccessin
  • "0x1fffff" corpus 4 (splunk 4)
  • "0x40" corpus 3 (splunk 3)
TargetImagein
  • *\\notepad.exe