Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
Injection Analytics |
ATT&CK Tactic |
Defense Evasion (TA0005) |
ATT&CK Technique |
Process Injection (T1055) |
Severity |
Informational |
Description
A signed binary, which can be abused to run code, injected code to another process.
Attacker's Goals
Gain code execution on the host and evade security controls.
Investigative actions
Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.
Variations
LOLBAS executable injects into another process using process hollowing
Synopsis
Description
A signed binary, which can be abused to run code, injected code to another process.
Attacker's Goals
Gain code execution on the host and evade security controls.
Investigative actions
Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.
Scripting engine injects into another process
Synopsis
Description
A signed binary, which can be abused to run code, injected code to another process.
Attacker's Goals
Gain code execution on the host and evade security controls.
Investigative actions
Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.
LOLBAS executable that's used to host DLLs injects into another process
Synopsis
Description
A signed binary, which can be abused to run code, injected code to another process.
Attacker's Goals
Gain code execution on the host and evade security controls.
Investigative actions
Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.
LOLBAS executable that's used to host DLLs injects into another process
Synopsis
Description
A signed binary, which can be abused to run code, injected code to another process.
Attacker's Goals
Gain code execution on the host and evade security controls.
Investigative actions
Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.
Rare LOLBAS executable injects into another process
Synopsis
Description
A signed binary, which can be abused to run code, injected code to another process.
Attacker's Goals
Gain code execution on the host and evade security controls.
Investigative actions
Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.