{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/process-injection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","process-injection","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eParent process PID spoofing is a defense evasion technique where a process is created with a parent process ID (PPID) that differs from its actual creator. This can be used to circumvent process monitoring tools that rely on accurate parent-child relationships. Adversaries may leverage this technique to disguise malicious processes as legitimate system processes or to elevate privileges by associating malicious activities with trusted processes. The technique involves manipulating process creation APIs to set an arbitrary PPID. The Elastic Defend integration is designed to capture the necessary process telemetry to detect these discrepancies. This activity matters because it can allow attackers to hide their actions and persist on compromised systems undetected. The referenced Elastic detection rule was last updated on 2026/04/30, demonstrating continued relevance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the Windows system (e.g., via phishing or exploit).\u003c/li\u003e\n\u003cli\u003eAttacker executes a malicious process, such as a script or executable.\u003c/li\u003e\n\u003cli\u003eThe malicious process uses API calls (e.g., \u003ccode\u003eCreateProcess\u003c/code\u003e, \u003ccode\u003eNtCreateProcessEx\u003c/code\u003e) to spawn a new process.\u003c/li\u003e\n\u003cli\u003eDuring process creation, the attacker modifies the PPID parameter to spoof a legitimate parent process.\u003c/li\u003e\n\u003cli\u003eThe new process is launched with the spoofed PPID, appearing as a child of the chosen parent.\u003c/li\u003e\n\u003cli\u003eThe spoofed process executes malicious code, potentially downloading additional payloads or establishing command and control.\u003c/li\u003e\n\u003cli\u003eThe adversary leverages the trusted appearance of the spoofed process to evade detection by security tools.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, lateral movement, or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful parent process PID spoofing can allow attackers to evade detection and maintain persistence on a compromised system. This can lead to data breaches, system compromise, and financial loss. While the number of victims and specific sectors targeted are not specified in the provided source material, the technique is applicable across various sectors and organizations utilizing Windows-based systems. The lack of detection can lead to prolonged dwell time, increasing the potential for significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Process Creation with PPID Spoofing\u003c/code\u003e to your SIEM to identify potential parent process PID spoofing attempts based on process telemetry data.\u003c/li\u003e\n\u003cli\u003eEnable and monitor process creation events with parent-child relationships using Elastic Defend to capture the necessary data for the provided rule.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule by examining the process tree and verifying the legitimacy of parent-child relationships as outlined in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eConfigure endpoint detection and response (EDR) solutions to identify and block suspicious processes spawned by common exploitation vectors like Office applications and script hosts, as these are often associated with PPID spoofing.\u003c/li\u003e\n\u003cli\u003eReview and tune the Sigma rule, specifically the \u003ccode\u003eprocess.pe.original_file_name\u003c/code\u003e and \u003ccode\u003eprocess.executable\u003c/code\u003e lists, to match your organization\u0026rsquo;s baseline and reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-09T14:22:00Z","date_published":"2024-05-09T14:22:00Z","id":"/briefs/2024-05-parent-process-spoofing/","summary":"Adversaries use parent process PID spoofing to evade detection by creating processes with mismatched parent-child relationships, hindering process monitoring and potentially elevating privileges on Windows systems.","title":"Windows Parent Process PID Spoofing Detection","url":"https://feed.craftedsignal.io/briefs/2024-05-parent-process-spoofing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender Advanced Threat Protection"],"_cs_severities":["high"],"_cs_tags":["process injection","powershell","defense evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying PowerShell scripts that combine specific Win32 API calls, often used in process injection and in-memory payload execution techniques. Attackers use PowerShell, a ubiquitous scripting language in Windows environments, to inject malicious code into other processes, bypassing traditional security controls. The rule specifically targets API combinations related to memory allocation (VirtualAlloc, VirtualAllocEx), memory protection (VirtualProtect), process access (OpenProcess), dynamic library loading (LdrLoadDll, LoadLibrary), and thread manipulation (CreateRemoteThread, NtCreateThreadEx). The rule excludes script activity originating from within Microsoft Defender Advanced Threat Protection directories, reducing false positives. This technique is valuable to attackers seeking to evade detection and execute malicious code stealthily. The detection logic is based on observing specific API combinations, commonly seen in tools like Empire.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to execute a malicious script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses \u003ccode\u003eOpenProcess\u003c/code\u003e to gain access to a target process.\u003c/li\u003e\n\u003cli\u003eThe script then uses \u003ccode\u003eVirtualAllocEx\u003c/code\u003e to allocate memory within the target process.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eWriteProcessMemory\u003c/code\u003e is used to write malicious code into the allocated memory.\u003c/li\u003e\n\u003cli\u003eThe script uses \u003ccode\u003eCreateRemoteThread\u003c/code\u003e or \u003ccode\u003eNtCreateThreadEx\u003c/code\u003e to create a new thread within the target process, pointing to the injected code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the target process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as credential dumping or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to execute arbitrary code within the context of another process, often a legitimate one. This can lead to credential theft, privilege escalation, data exfiltration, or the deployment of ransomware. The impact is significant, as it allows attackers to bypass security controls and operate stealthily. While the number of victims is unknown, the widespread use of PowerShell makes this a potentially widespread threat. Successful attacks can compromise sensitive data, disrupt business operations, and damage an organization\u0026rsquo;s reputation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the necessary events (4104) for this detection to function as described in the setup instructions \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003ehttps://ela.st/powershell-logging-setup\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious PowerShell scripts indicative of process injection. Tune the rules based on your environment\u0026rsquo;s baseline activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the reconstructed script content, target process, and execution context. Refer to the investigation guide section for triage steps.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell execution for suspicious API calls related to process injection, as described in the rule\u0026rsquo;s \u003ccode\u003equery\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T10:00:00Z","date_published":"2024-01-24T10:00:00Z","id":"/briefs/2024-01-24-posh-process-injection/","summary":"This detection identifies PowerShell scripts leveraging Win32 APIs for memory allocation, process access, and thread creation, indicative of potential process injection or in-memory payload execution on Windows systems.","title":"Potential Process Injection via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-24-posh-process-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","privilege-escalation","process-injection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eSvchost.exe (Service Host) is a critical Windows process responsible for hosting various Windows services. Attackers frequently target svchost.exe to disguise malicious activity, using techniques like process injection or file masquerading. By injecting malicious code into a legitimate svchost.exe process or creating a fake svchost.exe executable, attackers can evade detection and escalate privileges. This can be done by spawning the process with unusual arguments to trick the OS or a user. Detecting these anomalies is crucial for identifying potentially compromised systems. The attacks documented leveraging this technique started to gain prominence around 2018 and are still relevant in 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious executable or script to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into a legitimate svchost.exe process. Alternatively, the attacker may copy the svchost.exe executable and rename it, placing it in a different directory.\u003c/li\u003e\n\u003cli\u003eThe injected code or masqueraded executable executes with unusual command-line arguments, deviating from the standard \u0026ldquo;-k \u003cservicegroup\u003e\u0026rdquo; parameter.\u003c/li\u003e\n\u003cli\u003eThe malicious svchost process performs unauthorized actions, such as establishing network connections, modifying files, or creating new processes.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges of the svchost process to further compromise the system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence by modifying registry keys or scheduling tasks.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is data exfiltration, lateral movement, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised svchost.exe processes can lead to significant system instability and data breaches. Attackers may leverage these processes to gain complete control over affected systems, potentially impacting hundreds or thousands of machines in a network. The consequences can include data theft, financial losses, and reputational damage. Ransomware groups, such as BlackByte/Exbyte, and APT groups, like APT41, have been observed using similar techniques to evade detection and achieve their objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Uncommon Svchost Command Line Parameter\u0026rdquo; to your SIEM to detect anomalous svchost.exe processes based on command-line arguments.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule to determine if they are indicative of malicious activity.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging, specifically capturing command-line arguments, to provide the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized executables, including masqueraded svchost.exe instances.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-23-svchost-uncommon-params/","summary":"Detection of svchost.exe executing with uncommon command-line parameters, excluding known legitimate patterns, which may indicate file masquerading, process injection, or process hollowing.","title":"Uncommon Svchost Command Line Parameters Indicate Potential Masquerading or Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-23-svchost-uncommon-params/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["credential-access","lsass","process-injection"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies the creation of an LSASS process clone via \u003ccode\u003ePssCaptureSnapShot\u003c/code\u003e on Windows systems. The rule focuses on scenarios where the parent process of the new LSASS instance is also \u003ccode\u003elsass.exe\u003c/code\u003e. This behavior is often associated with attackers attempting to bypass security controls and dump LSASS memory to extract credentials. The technique is used to evade detection mechanisms that monitor the primary LSASS process. Successful exploitation can lead to the compromise of domain or local credentials stored in memory, allowing for lateral movement and privilege escalation within the network. The detection is based on Windows Security Event Logs, specifically event code 4688, and is designed to identify this specific cloning behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes code on the target system, potentially using tools like PowerShell or command-line utilities.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a process to clone the LSASS process using \u003ccode\u003ePssCaptureSnapShot\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe newly created process, a clone of LSASS, runs alongside the original.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the cloned LSASS process to dump its memory. This may involve tools like \u003ccode\u003ecomsvcs.dll\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e or custom scripts leveraging the MiniDumpWriteDump function.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information from the dumped memory, including usernames, passwords, and Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to move laterally within the network, accessing additional systems and resources.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can result in the compromise of sensitive credentials stored in LSASS memory, including domain and local account credentials. This can lead to unauthorized access to critical systems and data, potentially resulting in data breaches, financial loss, and reputational damage. Domain controllers, jump hosts, and systems with privileged accounts are at especially high risk. The number of affected systems can range from a single machine to a large portion of the network, depending on the attacker\u0026rsquo;s objectives and the scope of the compromised credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Windows Security Event Logs with event code 4688 for process creation events, specifically focusing on the process and parent process names to identify LSASS cloning attempts (see rule below).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect potential LSASS clone creation via \u003ccode\u003ePssCaptureSnapShot\u003c/code\u003e. Tune the rule for your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the processes involved in cloning and dumping LSASS memory.\u003c/li\u003e\n\u003cli\u003eEnable Audit Process Creation and Command Line logging as per the Elastic documentation to ensure the events used by the provided Sigma rules are captured.\u003c/li\u003e\n\u003cli\u003eIf a LSASS clone is detected, review authentication events (4624, 4648, 4625) on the affected host to identify any suspicious logons or credential usage.\u003c/li\u003e\n\u003cli\u003eMonitor for file activity related to memory dumps (e.g., .dmp files) using the process clone to identify potential credential theft attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-lsass-clone-creation/","summary":"Detection of LSASS process cloning using PssCaptureSnapShot, where the parent process is also LSASS, indicating a potential attempt to dump LSASS memory for credential access.","title":"Potential LSASS Clone Creation via PssCaptureSnapShot","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-clone-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["process-injection","powershell","pinvoke","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts leveraging the P/Invoke (Platform Invoke) technology to perform process injection. P/Invoke allows managed code (like PowerShell) to call unmanaged functions exported from DLLs, including critical Windows API functions. Attackers use this to inject malicious code into legitimate processes for evasion and persistence. The detection focuses on identifying specific API chains commonly used in process injection techniques, such as allocating memory in a target process (VirtualAlloc), writing malicious code into the allocated memory (WriteProcessMemory), and executing the injected code (CreateRemoteThread). This activity is often associated with malware deployment, privilege escalation, and defense evasion. The detection logic is designed to identify these API chains either at the compile phase using Add-Type or during the execution phase, alerting on suspicious PowerShell behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePowerShell is invoked to execute a malicious script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses Add-Type and DllImport to declare external functions from Windows DLLs, including kernel32.dll and ntdll.dll.\u003c/li\u003e\n\u003cli\u003eThe script uses functions such as OpenProcess to gain a handle to a target process.\u003c/li\u003e\n\u003cli\u003eVirtualAllocEx is called to allocate memory within the target process.\u003c/li\u003e\n\u003cli\u003eWriteProcessMemory is used to write malicious code into the allocated memory region of the target process.\u003c/li\u003e\n\u003cli\u003eCreateRemoteThread is called to create a new thread within the target process, pointing to the injected code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the target process, achieving code execution and potential privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to execute arbitrary code within the context of a trusted process, bypassing security controls and potentially gaining elevated privileges. This can lead to data theft, system compromise, or further propagation within the network. The use of PowerShell and P/Invoke makes detection more challenging, as the activity can blend in with legitimate system administration tasks. A successful attack could lead to the deployment of a VIP Keylogger or other malware, as noted in the provided references.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (Event ID 4104) to provide the necessary data for detection (data_source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePowerShell PInvoke Process Injection\u003c/code\u003e to your SIEM and tune the rule to your environment (rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the specific API chains identified in the \u003ccode\u003edetection\u003c/code\u003e section of the rule.\u003c/li\u003e\n\u003cli\u003eReview PowerShell execution policies and restrict the execution of unsigned scripts to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-powershell-pinvoke-process-injection/","summary":"This analytic detects PowerShell code that uses P/Invoke to call Windows API functions associated with process injection, such as VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating potential malicious activity.","title":"PowerShell P/Invoke Process Injection API Chain Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-pinvoke-process-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","privilege-escalation","process-injection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a platform for building applications, commonly used in software development environments. Adversaries are exploiting MSBuild to perform process injection, a technique to execute malicious code within the address space of another process. This allows attackers to evade detection and potentially escalate privileges. The detection focuses on monitoring for thread creation in other processes by instances of MSBuild.exe. This activity is considered unusual outside of legitimate software development or build environments. The exploitation of MSBuild for process injection is a known technique (T1127.001) to proxy execution through trusted developer utilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., compromised credentials, software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes MSBuild.exe, either directly or through another process.\u003c/li\u003e\n\u003cli\u003eMSBuild.exe is used to load and execute a malicious project file or inline code.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the MSBuild project file leverages Windows API calls to create a thread in a target process.\u003c/li\u003e\n\u003cli\u003eThe created thread injects malicious code or a payload into the target process\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the target process, potentially performing malicious activities.\u003c/li\u003e\n\u003cli\u003eThese activities could include lateral movement, data exfiltration, or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection can lead to a variety of malicious outcomes, including privilege escalation, data theft, and system compromise. While the specific number of victims is not available, any Windows system running MSBuild is potentially vulnerable. The use of a trusted Microsoft utility like MSBuild makes detection more difficult, as it can blend in with legitimate developer activity. This can lead to prolonged compromise and significant damage before the malicious activity is detected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation and CreateRemoteThread logging (event IDs 1 and 8) to detect the malicious activity described in the attack chain.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Process Injection by the Microsoft Build Engine\u0026rdquo; to your SIEM and tune for your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of MSBuild.exe in non-development environments.\u003c/li\u003e\n\u003cli\u003eMonitor the parent processes of MSBuild.exe for unusual or suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-msbuild-process-injection/","summary":"The Microsoft Build Engine (MSBuild) is being abused to perform process injection by creating threads in other processes, a technique used to evade detection and potentially escalate privileges.","title":"MSBuild Process Injection Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-process-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","process-injection","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies potentially malicious attempts to evade endpoint security solutions by monitoring the parent processes of security executables. Adversaries may employ process hollowing or other code injection techniques to inject malicious code into legitimate processes, such as \u003ccode\u003eesensor.exe\u003c/code\u003e or \u003ccode\u003eelastic-endpoint.exe\u003c/code\u003e, to avoid detection. The rule flags unexpected parent processes based on deviations from expected behavior, excluding known benign paths and arguments to minimize false positives. This activity is important for defenders as successful evasion can lead to significant compromise of systems and data. The rule supports various data sources, including Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon, providing broad coverage across different security ecosystems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an unknown vector.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to inject malicious code into a legitimate endpoint security process (\u003ccode\u003eesensor.exe\u003c/code\u003e or \u003ccode\u003eelastic-endpoint.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe malicious code is injected using process hollowing or similar techniques.\u003c/li\u003e\n\u003cli\u003eThe endpoint security process is launched by a suspicious parent process outside of known legitimate paths (e.g., not in \u003ccode\u003eC:\\Program Files\\Elastic\\*\u003c/code\u003e or \u003ccode\u003eC:\\Windows\\System32\\*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the endpoint security process, potentially disabling or bypassing security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised endpoint security process to perform further malicious activities, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe endpoint security solution\u0026rsquo;s ability to detect and respond to threats is impaired, allowing the attacker to operate undetected.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via process injection can lead to a significant degradation of endpoint security posture. Attackers can disable or bypass security controls, allowing them to perform malicious activities such as data theft, ransomware deployment, or lateral movement undetected. The impact can range from individual system compromise to widespread network breaches, depending on the scope of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Endpoint Security Parent Process\u003c/code\u003e to your SIEM to detect anomalous parent-child process relationships involving endpoint security executables.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to provide detailed process execution data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the parent process executable path, command-line arguments, and historical activity.\u003c/li\u003e\n\u003cli\u003eAdd legitimate but unusual parent process paths to the Sigma rule\u0026rsquo;s exclusion list to reduce false positives, as described in the rule\u0026rsquo;s \u003ccode\u003eFalse positive analysis\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts from this rule with other security events from data sources like Elastic Endgame, Microsoft Defender XDR, or Sysmon, as recommended in the rule\u0026rsquo;s \u003ccode\u003ePossible investigation steps\u003c/code\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-suspicious-endpoint-parent/","summary":"This rule detects suspicious parent processes of endpoint security solutions such as Elastic Defend, Microsoft Defender, and SentinelOne, indicating potential process hollowing or code injection attempts to evade detection.","title":"Suspicious Endpoint Security Parent Process Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-03-suspicious-endpoint-parent/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["process-injection","powershell","pinvoke"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief focuses on the detection of PowerShell scripts utilizing Platform Invoke (P/Invoke) to perform process injection. P/Invoke allows managed code (PowerShell) to call native, unmanaged code (Windows API functions). Adversaries leverage this capability to inject malicious code into other processes, bypassing traditional defenses. This activity is identified through PowerShell script block logging (Event ID 4104). The detection strategy covers both the compile phase (detecting inline .NET class definitions with DllImport declarations) and the execution phase (detecting static method invocation patterns using ::MethodName syntax with execution context indicators). This ensures broad coverage, even when pre-compiled assemblies are loaded. The techniques detected cover a wide range of process injection methods, increasing the likelihood of detection against various attack vectors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker executes a PowerShell script containing malicious code designed for process injection.\u003c/li\u003e\n\u003cli\u003eThe script uses \u003ccode\u003eAdd-Type -TypeDefinition\u003c/code\u003e to define a .NET class inline, embedding C# source code that includes \u003ccode\u003e[DllImport]\u003c/code\u003e declarations for Windows API functions.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDllImport\u003c/code\u003e attribute specifies the native DLL (e.g., kernel32.dll, ntdll.dll) and the function name to import.\u003c/li\u003e\n\u003cli\u003eThe script declares external functions like \u003ccode\u003eVirtualAlloc\u003c/code\u003e, \u003ccode\u003eWriteProcessMemory\u003c/code\u003e, \u003ccode\u003eCreateRemoteThread\u003c/code\u003e, \u003ccode\u003eNtCreateSection\u003c/code\u003e, and \u003ccode\u003eNtMapViewOfSection\u003c/code\u003e using \u003ccode\u003eextern \u0026lt;ReturnType\u0026gt; \u0026lt;FunctionName\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script uses static method invocation (e.g., \u003ccode\u003e[IntPtr]::Zero\u003c/code\u003e, \u003ccode\u003e[Marshal]::Copy\u003c/code\u003e) to call the declared functions.\u003c/li\u003e\n\u003cli\u003eThe script allocates memory in the target process using \u003ccode\u003eVirtualAllocEx\u003c/code\u003e or \u003ccode\u003eNtAllocateVirtualMemory\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious code (shellcode or DLL) is written to the allocated memory using \u003ccode\u003eWriteProcessMemory\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA new thread is created in the target process to execute the injected code using \u003ccode\u003eCreateRemoteThread\u003c/code\u003e or \u003ccode\u003eRtlCreateUserThread\u003c/code\u003e. Alternatively, APC injection uses \u003ccode\u003eQueueUserAPC\u003c/code\u003e to queue an Asynchronous Procedure Call in the target process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to execute arbitrary code within the context of a legitimate process. This can lead to privilege escalation, credential theft, and persistence. Process injection can also be used to bypass security software and gain unauthorized access to sensitive data. This technique has been observed in malware campaigns associated with VIP Keylogger and similar threats, leading to data exfiltration and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell script block logging (Event ID 4104) to capture the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect malicious PowerShell scripts using P/Invoke for process injection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on processes that exhibit suspicious API call patterns.\u003c/li\u003e\n\u003cli\u003eReview and tune the Sigma rules based on your environment to minimize false positives and ensure accurate detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-powershell-pinvoke-injection/","summary":"This brief details detection of PowerShell scripts leveraging P/Invoke API calls to perform process injection, covering techniques like self-injection, remote thread injection, APC injection, thread-context hijacking, process hollowing, section-map injection, reflective DLL loading, and DLL injection.","title":"PowerShell P/Invoke API Chain for Process Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-pinvoke-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","defense-evasion","windows","process-injection","masquerading","access-token-manipulation","parent-pid-spoofing"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies Windows programs executed with unexpected parent processes, which may indicate masquerading, process injection, or other anomalous behavior. The detection logic focuses on deviations from established parent-child process relationships within the Windows operating system. This rule leverages data from multiple sources, including Elastic Defend, CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs, to enhance detection coverage. This is important for defenders as unusual parent-child process relationships can be indicative of various malicious activities, including privilege escalation and defense evasion techniques employed by threat actors. The rule aims to provide early detection of potentially malicious activities by identifying deviations from the expected process execution patterns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious payload that attempts to masquerade as a legitimate process.\u003c/li\u003e\n\u003cli\u003eThe malicious process is launched with an unexpected parent process, deviating from normal Windows process relationships. For example, \u003ccode\u003eautochk.exe\u003c/code\u003e running without \u003ccode\u003esmss.exe\u003c/code\u003e as its parent.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to inject code into other processes for privilege escalation or defense evasion, leveraging techniques like process hollowing.\u003c/li\u003e\n\u003cli\u003eThe injected code gains elevated privileges, allowing the attacker to perform sensitive actions on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack exploiting unusual parent-child relationships can lead to privilege escalation, allowing attackers to gain control of the compromised system. This can result in data breaches, system downtime, and financial losses. The rule aims to mitigate these risks by detecting suspicious process executions early in the attack chain. While the exact number of potential victims and sectors targeted is not explicitly mentioned, the broad applicability of Windows systems makes this a widespread threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune for your environment to detect unusual parent-child process relationships (see \u003ccode\u003erules\u003c/code\u003e section).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments in your Windows environment using Sysmon or Windows Security Event Logs to ensure the necessary data is available for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate and baseline common parent-child process relationships in your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eIntegrate your SIEM with threat intelligence feeds to identify known malicious processes and their associated parent processes.\u003c/li\u003e\n\u003cli\u003eConfigure endpoint detection and response (EDR) solutions like Elastic Defend, CrowdStrike, Microsoft Defender XDR, and SentinelOne to collect and analyze process execution data (see \u003ccode\u003esetup\u003c/code\u003e section in the source URL).\u003c/li\u003e\n\u003cli\u003eRefer to the investigation guide linked in the source URL to triage alerts related to unusual parent-child process relationships.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-unusual-parent-child/","summary":"This rule identifies Windows programs run from unexpected parent processes, which could indicate masquerading or other strange activity on a system, potentially indicating process injection, masquerading, access token manipulation, or parent PID spoofing.","title":"Unusual Parent-Child Relationship Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-parent-child/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Office","EdgeWebView","Acrobat DC"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","process-injection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Adobe"],"content_html":"\u003cp\u003eThis detection identifies potential process injection attempts, specifically process hollowing, by monitoring process creation events followed by memory access from unknown regions. The rule focuses on processes spawned by Microsoft Office applications (winword.exe, excel.exe, outlook.exe, powerpnt.exe), scripting engines (cscript.exe, wscript.exe, mshta.exe), and command-line tools (cmd.exe, powershell.exe, rundll32.exe, regsvr32.exe, wmic.exe, cmstp.exe, msxsl.exe). The logic looks for a spawned process by one of these applications/tools, followed by a process access event for an unknown memory region by the parent process, indicating a potential code injection attempt. Attackers use process injection to hide malicious activity within legitimate processes, evading detection and hindering forensic analysis. This technique is a common tactic used to establish persistence, escalate privileges, or execute malicious payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user opens a malicious document or executes a script.\u003c/li\u003e\n\u003cli\u003eThe Microsoft Office application (e.g., winword.exe) or scripting engine (e.g., wscript.exe) starts as a parent process.\u003c/li\u003e\n\u003cli\u003eThe parent process creates a new child process (e.g., a legitimate system executable).\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the newly created child process\u0026rsquo;s memory, often overwriting legitimate code sections.\u003c/li\u003e\n\u003cli\u003eThe parent process accesses the child process\u0026rsquo;s memory from an unknown code region, indicating the injected code. Sysmon event ID 10 captures this access.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the child process, performing malicious actions.\u003c/li\u003e\n\u003cli\u003eThese actions can include establishing persistence, downloading additional malware, or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection allows attackers to mask their malicious activities within legitimate processes, making detection and attribution significantly harder. This can lead to prolonged infections, data breaches, and system compromise. The impact can range from individual workstation compromise to widespread organizational damage, depending on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role. The rule mitigates risks associated with advanced persistent threats (APTs) and commodity malware using process injection for defense evasion.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 10 (Process Access) to collect the necessary telemetry for this detection (\u003ca href=\"https://ela.st/sysmon-event-1-setup\"\u003eSysmon Event ID 1 - Process Creation\u003c/a\u003e, \u003ca href=\"https://ela.st/sysmon-event-10-setup\"\u003eSysmon Event ID 10 - Process Access\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Process Creation CallTrace\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the process execution chain and potential malicious activities performed by the injected code.\u003c/li\u003e\n\u003cli\u003eConsider memory dumping the child process for further analysis, to examine if malicious code exists.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-suspicious-process-calltrace/","summary":"The rule identifies suspicious process creation where a process is created and immediately accessed from an unknown memory code region by the same parent process, indicating a potential code injection attempt, specifically process hollowing, commonly targeting processes spawned by Microsoft Office applications, scripting engines, and command-line tools for defense evasion.","title":"Suspicious Process Creation Followed by Memory Access from Unknown Region","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-process-calltrace/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","process-injection","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies unusual child processes spawned by the Windows virtual system process (PID 4). This activity is suspicious because the System process should typically only spawn specific, known system-level processes. Unexpected child processes could indicate code injection, process hollowing, or other defense evasion techniques. The rule specifically looks for processes where the parent PID is 4 and the executable name does not match expected system binaries (Registry, MemCompression, smss.exe, HotPatch). This rule uses data from Elastic Defend, Microsoft Defender XDR, SentinelOne, Sysmon, and Windows event logs, making it applicable across various environments. The rule focuses on Windows systems because PID 4 is specific to the Windows operating system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into a running process.\u003c/li\u003e\n\u003cli\u003eThe injected code leverages the SYSTEM process (PID 4) to spawn a child process.\u003c/li\u003e\n\u003cli\u003eThe child process is an unexpected or malicious binary, not typically associated with the SYSTEM process.\u003c/li\u003e\n\u003cli\u003eThe malicious child process executes further actions, such as establishing persistence or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the spawned process to perform lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to evade detection by hiding within the SYSTEM process context.\u003c/li\u003e\n\u003cli\u003eThe final objective is to compromise the system, steal data, or establish a persistent foothold.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to complete system compromise, data theft, or the installation of persistent malware. The attacker gains elevated privileges by leveraging the SYSTEM process, making detection and remediation more difficult. While the number of affected victims and sectors are not specified, this technique can be used in targeted attacks against high-value systems, potentially impacting critical infrastructure or sensitive data environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eUnusual System Virtual Process Child Process\u003c/code\u003e to your SIEM to detect potential code injection and defense evasion attempts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the required data is available for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the parent and child process relationships, binary identities, and process behaviors as outlined in the rule\u0026rsquo;s triage notes.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eprocess.executable\u003c/code\u003e, \u003ccode\u003eprocess.hash.sha256\u003c/code\u003e, \u003ccode\u003eprocess.pe.original_file_name\u003c/code\u003e, \u003ccode\u003eprocess.code_signature.subject_name\u003c/code\u003e to confirm the child binary identity and ensure it is consistent with the claimed system component.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eprocess.Ext.relative_file_creation_time\u003c/code\u003e, \u003ccode\u003eprocess.Ext.relative_file_name_modify_time\u003c/code\u003e, and \u003ccode\u003eprocess.Ext.created_suspended\u003c/code\u003e to identify potential file dropping, renaming, or hollowing techniques at process startup.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-unusual-system-vp-child/","summary":"A suspicious child process of the Windows virtual system process is detected, potentially indicating code injection and defense evasion.","title":"Unusual Child Process from a System Virtual Process","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-system-vp-child/"}],"language":"en","title":"CraftedSignal Threat Feed — Process-Injection","version":"https://jsonfeed.org/version/1.1"}