PowerShell Injecting into Other Process

Nov 9, 2022 · attack.privilege_escalation attack.t1055 ·

Looks for process access activity where PowerShell is accessing any other processes. Inspired by the 2022 Red Canary Threat Detection report.

Sigma rule (View on GitHub)

 1title: PowerShell Injecting into Other Process
 2id: 95d5a93d-b755-4443-87d2-48125a4172ac
 3status: experimental
 4description: Looks for process access activity where PowerShell is accessing any other
 5    processes. Inspired by the 2022 Red Canary Threat Detection report.
 6references:
 7    - https://redcanary.com/threat-detection-report/techniques/process-injection/
 8author: Micah Babinski
 9date: 2022/11/03
10tags:
11    - attack.privilege_escalation
12    - attack.t1055
13logsource:
14    category: process_access
15    product: windows
16detection:
17    selection:
18        SourceImage|endswith: '\powershell.exe'
19    condition: selection
20falsepositives:
21    - Unknown
22level: high```

References

Process Injection - Red Canary Threat Detection Report

Process Injection enables adversaries to execute potentially suspicious processes in the context of seemingly benign ones.

Read More

Related rules

Process Execution sans Command Lines

PowerShell Injecting into Other Process

Sigma rule (View on GitHub)

References

Process Injection - Red Canary Threat Detection Report

Related rules