This note documents detection patterns related to Process Injection within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Sysmon | 8 | CreateRemoteThread | Critical | Strong direct indicator of remote thread injection. |
| Sysmon | 10 | Process access | Critical | Detects suspicious handle access before injection. |
| Sysmon | 1 | Process creation | Critical | Required to identify injector lineage. |
| Security | 4688 | Process creation | High | Parent-child context for injector process. |
| Sysmon | 7 | Image loaded | High | DLL loads may support injection chain. |
| Sysmon | 11 | File create | Medium | Payload staging before injection. |
| Security | 4673 | Sensitive privilege use attempted | High | SeDebugPrivilege often precedes injection. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| High-rights handle to foreign process | PROCESS_VM_WRITE, PROCESS_CREATE_THREAD | Critical | Core injection precursor. |
| Unsigned process touches signed process | Temp/AppData injector to system process | Critical | Strong malicious signal. |
| Explorer / Office injects into system binary | Rare lineage | Critical | Highly suspicious. |
| Remote thread into browser or lsass | Common target choice | Critical | Credential theft or stealth. |
| Memory-only child behavior | Network activity without disk payload | High | Fileless clue. |
| Process starts then no file writes | In-memory execution | High | Common injection outcome. |
Common Tools
| Tool | Usage |
|---|---|
| mimikatz | Injection modules |
| Cobalt Strike | Beacon injection |
| Process Hacker | Manual injection |
| rundll32.exe | DLL staging |
| PowerShell | Reflective loaders |
| custom loaders | Remote thread injection |
Relevant Artifacts
- Sysmon Event IDs 8, 10, 1, 7
- Security Event IDs 4688, 4673
- Prefetch for injector binary
- Amcache / ShimCache
- EDR memory telemetry
- Handle access records
- MFT / USN if payload staged first
MITRE ATT&CK References
- T1055 Process Injection
- T1055.001 Dynamic-link Library Injection
- T1055.002 Portable Executable Injection
Decision Tree
-
Which process opened target?
- Source image
- Signed status
-
Granted access suspicious?
- VM_WRITE
- CREATE_THREAD
-
Remote thread created?
- Sysmon 8
- Target process
-
Target sensitive?
- lsass
- explorer
- browser
- svchost
-
Expand:
- Memory-only payload
- Network from target
- Parent chain
-
Scope:
- Single target
- Multiple injections
- Shared injector
Example Detection Templates
KQL
Sysmon
| where EventID == 8
| project TimeGenerated, Computer, SourceImage, TargetImage
Sysmon
| where EventID == 10
| where GrantedAccess has_any ("0x1fffff","0x1f3fff","0x143a")
| project TimeGenerated, Computer, SourceImage, TargetImage, GrantedAccess
EQL
process where event.code == "8"
sequence by host.name with maxspan=5m
[ process where event.code == "10" ]
[ process where event.code == "8" ]
Sigma
title: Process Injection Detection
id: 2d5f3c90-process-injection
status: experimental
description: Detects remote thread creation and suspicious process access
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID:
- 8
- 10
condition: selection
fields:
- SourceImage
- TargetImage
- GrantedAccess
falsepositives:
- Security tooling
level: high
tags:
- attack.defense_evasion
- attack.t1055
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Sysmon Event 8/10 | Enable injection telemetry | Critical | Core visibility |
| EDR memory analytics | Monitor thread anomalies | Critical | Best detection source |
| Protect high-value processes | LSASS / browser hardening | High | Reduce target abuse |
| Restrict SeDebugPrivilege | Minimize debug rights | High | Reduce injection surface |
| Application control | Block unsigned injectors | High | Prevent common loaders |