Process Injection

Adversaries use parent process PID spoofing to evade detection by creating processes with mismatched parent-child relationships, hindering process monitoring and potentially elevating privileges on Windows systems.

This detection identifies PowerShell scripts leveraging Win32 APIs for memory allocation, process access, and thread creation, indicative of potential process injection or in-memory payload execution on Windows systems.

Detection of svchost.exe executing with uncommon command-line parameters, excluding known legitimate patterns, which may indicate file masquerading, process injection, or process hollowing.

Detection of LSASS process cloning using PssCaptureSnapShot, where the parent process is also LSASS, indicating a potential attempt to dump LSASS memory for credential access.

This analytic detects PowerShell code that uses P/Invoke to call Windows API functions associated with process injection, such as VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating potential malicious activity.

The Microsoft Build Engine (MSBuild) is being abused to perform process injection by creating threads in other processes, a technique used to evade detection and potentially escalate privileges.

This rule detects suspicious parent processes of endpoint security solutions such as Elastic Defend, Microsoft Defender, and SentinelOne, indicating potential process hollowing or code injection attempts to evade detection.

This brief details detection of PowerShell scripts leveraging P/Invoke API calls to perform process injection, covering techniques like self-injection, remote thread injection, APC injection, thread-context hijacking, process hollowing, section-map injection, reflective DLL loading, and DLL injection.

This rule identifies Windows programs run from unexpected parent processes, which could indicate masquerading or other strange activity on a system, potentially indicating process injection, masquerading, access token manipulation, or parent PID spoofing.

The rule identifies suspicious process creation where a process is created and immediately accessed from an unknown memory code region by the same parent process, indicating a potential code injection attempt, specifically process hollowing, commonly targeting processes spawned by Microsoft Office applications, scripting engines, and command-line tools for defense evasion.

A suspicious child process of the Windows virtual system process is detected, potentially indicating code injection and defense evasion.