Process Injection - Detected - Elastic Endgame

 1[metadata]
 2creation_date = "2020/02/18"
 3maturity = "production"
 4promotion = true
 5updated_date = "2025/03/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the
11rule.reference column for additional information.
12"""
13from = "now-2m"
14index = ["endgame-*"]
15interval = "1m"
16language = "kuery"
17license = "Elastic License v2"
18max_signals = 1000
19name = "Process Injection - Detected - Elastic Endgame"
20risk_score = 73
21rule_id = "80c52164-c82a-402c-9964-852533d58be1"
22setup = """## Setup
23
24### Additional notes
25
26For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
27"""
28severity = "high"
29tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"]
30timestamp_override = "event.ingested"
31type = "query"
32
33query = '''
34event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)
35'''
36note = """## Triage and analysis
37
38> **Disclaimer**:
39> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
40
41### Investigating Process Injection - Detected - Elastic Endgame
42
43Elastic Endgame is a security solution that monitors and detects suspicious activities like process injection, a technique often used by adversaries to execute malicious code within the address space of another process, thereby evading detection. This detection rule identifies such threats by analyzing alerts and specific event actions related to kernel shellcode, indicating potential privilege escalation attempts. By leveraging MITRE ATT&CK frameworks, it effectively flags high-risk activities, aiding analysts in mitigating threats.
44
45### Possible investigation steps
46
47- Review the alert details in the Elastic Endgame console by clicking the Elastic Endgame icon in the event.module column or the link in the rule.reference column to gather more context about the detected process injection.
48- Examine the specific event.action and endgame.event_subtype_full fields to confirm the presence of kernel_shellcode_event, which indicates potential malicious activity.
49- Analyze the process tree and parent-child relationships of the affected process to identify any unusual or unauthorized processes that may have initiated the injection.
50- Check for any recent privilege escalation attempts or suspicious activities associated with the affected process by correlating with other alerts or logs in the system.
51- Investigate the source and destination IP addresses, if available, to determine if there is any external communication that could suggest a command and control connection.
52- Assess the risk and impact of the detected activity by considering the risk score and severity level, and prioritize response actions accordingly.
53- If necessary, isolate the affected system to prevent further malicious activity and begin remediation efforts based on the findings.
54
55### False positive analysis
56
57- Legitimate software updates or patches may trigger process injection alerts. Users can create exceptions for known update processes by identifying their unique process names or hashes.
58- Security tools or monitoring software that use process injection for legitimate purposes might be flagged. Users should whitelist these tools by specifying their process identifiers or paths.
59- Custom scripts or automation tasks that interact with system processes could be misidentified as threats. Users can exclude these scripts by defining their execution context or command-line arguments.
60- Debugging or development activities involving process manipulation might cause false positives. Users should consider excluding these activities during known development periods or within specific environments.
61- Virtualization or sandboxing solutions that mimic process injection techniques for isolation purposes may be detected. Users can create exceptions for these solutions by recognizing their specific signatures or behaviors.
62
63### Response and remediation
64
65- Isolate the affected system immediately to prevent further spread of the malicious code. Disconnect it from the network and any shared resources.
66- Terminate the malicious process identified by the alert to stop the execution of injected code. Use process management tools to safely end the process.
67- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional threats or remnants of the attack.
68- Review and analyze system logs and the specific event details from the alert to understand the scope of the intrusion and identify any other potentially compromised systems.
69- Apply security patches and updates to the operating system and all software applications on the affected system to close any vulnerabilities exploited by the attacker.
70- Restore the system from a known good backup taken before the incident occurred, ensuring that the backup is free from any malicious code.
71- Report the incident to the appropriate internal security team or external authorities if required, providing them with detailed information about the attack and the steps taken for remediation."""
72
73
74[[rule.threat]]
75framework = "MITRE ATT&CK"
76[[rule.threat.technique]]
77id = "T1055"
78name = "Process Injection"
79reference = "https://attack.mitre.org/techniques/T1055/"
80
81
82[rule.threat.tactic]
83id = "TA0004"
84name = "Privilege Escalation"
85reference = "https://attack.mitre.org/tactics/TA0004/"