Windows Process Injection into Commonly Abused Processes

name: Windows Process Injection into Commonly Abused Processes
id: 1e1dedc6-f6f3-41a0-9dd7-a1245904fe75
version: 8
creation_date: '2023-02-24'
modification_date: '2026-05-13'
author: 0xC0FFEEEE, Github Community
status: production
type: Anomaly
description: The following analytic detects process injection into executables that are commonly abused using Sysmon EventCode 10. It identifies suspicious GrantedAccess requests (0x40 and 0x1fffff) to processes such as notepad.exe, wordpad.exe and calc.exe, excluding common system paths like System32, Syswow64, and Program Files. This behavior is often associated with the SliverC2 framework by BishopFox. Monitoring this activity is crucial as it may indicate an initial payload attempting to execute malicious code. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment.
data_source:
    - Sysmon EventID 10
search: |-
    `sysmon`
    EventCode=10
    TargetImage IN (
        "*\\backgroundtaskhost.exe",
        "*\\calc.exe",
        "*\\CalculatorApp.exe",
        "*\\chrome.exe",
        "*\\dllhost.exe",
        "*\\edge.exe",
        "*\\firefox.exe",
        "*\\lsass.exe",
        "*\\mspaint.exe",
        "*\\notepad.exe",
        "*\\regsvr32.exe",
        "*\\searchprotocolhost.exe",
        "*\\spoolsv.exe",
        "*\\svchost.exe",
        "*\\werfault.exe",
        "*\\win32calc.exe",
        "*\\wordpad.exe",
        "*\\wuauclt.exe"
    )
    
    NOT SourceImage IN (
        "*:\\Windows\\Program Files (x86)\\*",
        "*:\\Windows\\Program Files\\*",
        "*:\\Windows\\System32\\*",
        "*:\\Windows\\SysWOW64\\*"
    )
    
    GrantedAccess IN (
        "0x1f3fff",
        "0x1fffff",
        "0x40"
    )
    
    | stats values(user) as user
            min(_time) as firstTime
            max(_time) as lastTime count
    by dest user_id parent_process_name parent_process_guid
       process_name process_guid process_id signature SourceImage
       TargetImage GrantedAccess CallTrace
    
    | eval CallTrace=split(CallTrace, "|")
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | table firstTime lastTime dest user_id parent_process_name parent_process_guid process_name process_guid process_id signature SourceImage TargetImage GrantedAccess CallTrace
    | `windows_process_injection_into_commonly_abused_processes_filter`
how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
known_false_positives: False positives may be present based on SourceImage paths, particularly those with a legitimate reason for accessing lsass.exe or regsvr32.exe. If removing the paths is important, realize svchost and many native binaries inject into processes consistently. Restrict or tune as needed.
references:
    - https://dominicbreuker.com/post/learning_sliver_c2_08_implant_basics/
    - https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
    - https://redcanary.com/threat-detection-report/techniques/process-injection/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: An instance of $SourceImage$ injecting into $TargetImage$ was identified on endpoint $dest$.
threat_objects:
    - field: SourceImage
      type: process
    - field: TargetImage
      type: process
analytic_story:
    - BishopFox Sliver Adversary Emulation Framework
    - Earth Alux
    - SAP NetWeaver Exploitation
    - APT37 Rustonotto and FadeStealer
asset_type: Endpoint
mitre_attack_id:
    - T1055.002
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/T1055_windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog
      test_type: unit