Detects PE injection through a behavioral sequence where one process opens (OpenProcess) a handle to another, allocates remote memory (VirtualAllocEx), writes a PE header (MZ) or shellcode (WriteProcessMemory), then initiates a new thread (CreateRemoteThread or NtCreateThreadEx) in that process—executing injected code in memory without touching disk. Optional: injects a trampoline or shellcode that unpacks/reflectively maps the payload.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Process Modification (DC0020) | WinEventLog:Sysmon | EventCode=8 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| PayloadEntropyThreshold | Controls for detecting high-entropy memory writes indicating shellcode or encrypted PE |
| TargetProcessList | High-value or sensitive processes that should never have remote threads injected |
| TimeWindow | Max allowed delay between memory write and thread execution |
| ParentProcessAnomalyThreshold | Used to filter legitimate process hierarchies vs anomalous injection sources |