Detects hijacking of an existing thread (OpenThread) through a behavioral chain involving thread suspension (SuspendThread), memory modification (VirtualAllocEx + WriteProcessMemory), context manipulation (SetThreadContext), and thread resumption—all within another live process's address space (ResumeThread).
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Process Modification (DC0020) | WinEventLog:Sysmon | EventCode=8 |
| OS API Execution (DC0021) | etw:Microsoft-Windows-Kernel-Process | API Calls |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| TargetProcessList | Sensitive processes that should never be targeted for thread hijack attempts |
| TimeWindow | Expected delay between SuspendThread and ResumeThread events; tight thresholds reduce evasion |
| SuspiciousThreadContextRegions | Memory regions or offsets that should not be targeted for SetThreadContext |
| ParentProcessAnomalyThreshold | Score deviation of the parent/child relationship in a thread injection chain |