
Summary
The 'Windows Process Injection Remote Thread' detection rule captures suspicious activities surrounding remote thread execution on potentially legitimate processes like Taskmgr.exe and calc.exe. The usage of Sysmon EventCode 8 helps identify attempts of process injection that malicious software, such as Qakbot, may utilize to inject harmful code into regular system processes. This type of activity is significant due to its implications for unauthorized code execution which attackers can exploit to gain additional privileges or create persistence on the affected system. This rule aims to alert on these critical security events, thus serving as a preventative measure against common attack methodologies leveraged by malware.
Categories
- Endpoint
Data Sources
- Pod
- Process
- Sensor Health
ATT&CK Techniques
- T1055
- T1055.002
Created: 2024-11-13