Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
Injection Analytics |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An unsigned process with low popularity injected code to another process.
Attacker's Goals
Attackers may inject code into processes to evade process-based defenses, as well as possibly elevate privileges.
Investigative actions
- Check whether the injecting process is benign, and if this was a desired behavior as part of its normal execution flow.
Variations
Unsigned and unpopular process performed process hollowing injectionUnsigned and unpopular process performed queue APC injection
Unsigned and unpopular process performed injection into a sensitive process
Unsigned and unpopular process performed injection into svchost.exe
Unsigned and unpopular process performed injection into a commonly abused process
Unsigned and unpopular process performed injection into a process signed by a security vendor