Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
Injection Analytics |
ATT&CK Tactic |
Defense Evasion (TA0005) |
ATT&CK Technique |
Process Injection (T1055) |
Severity |
Low |
Description
An unsigned process with low popularity injected code to another process.
Attacker's Goals
Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
Investigative actions
- Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.
Variations
Unsigned and unpopular process performed process hollowing injection
Synopsis
Description
An unsigned process with low popularity injected code to another process.
Attacker's Goals
Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
Investigative actions
- Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.
Unsigned and unpopular process performed queue APC injection
Synopsis
Description
An unsigned process with low popularity injected code to another process.
Attacker's Goals
Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
Investigative actions
- Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.
Unsigned and unpopular process performed injection into a sensitive process
Synopsis
Description
An unsigned process with low popularity injected code to another process.
Attacker's Goals
Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
Investigative actions
- Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.
Unsigned and unpopular process performed injection into svchost.exe
Synopsis
Description
An unsigned process with low popularity injected code to another process. This process attempted to obtain System user permissions.
Attacker's Goals
Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
Investigative actions
- Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.
Unsigned and unpopular process performed injection into a commonly abused process
Synopsis
Description
An unsigned process with low popularity injected code to another process.
Attacker's Goals
Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
Investigative actions
- Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.
Unsigned and unpopular process performed injection into a process signed by a security vendor
Synopsis
Description
An unsigned process with low popularity injected code to another process.
Attacker's Goals
Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
Investigative actions
- Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.