Process Injection
Process Write ProcessSegment — Write attacker-controlled executable code into the address space of a running process not owned by the attacker.
Detect
The activity_id = Inject is technique-defining and injection-method-agnostic. A rule gating solely on this field detects all cross-process writes regardless of primitive used. Rules filtering on injector name or hash are STP 1–2.
Detect cross-process memory write events using kernel telemetry (ETW, eBPF) targeting activity_id = Inject and the process.pid pair. Do not gate on actor.process.file.path. Anomalous source-to-target process relationships are high-signal.
Mitigate
Arbitrary Code Guard (ACG) prevents processes from mapping or modifying executable code, blocking the central artifact modification regardless of injection technique.
Enable ACG and Code Integrity Guard (CIG) on high-value processes. These controls operate at the kernel level against the ProcessSegment write — they cannot be bypassed by switching injection method.
Respond
The target process now executes attacker-controlled code. Kill the injector process and the compromised target immediately. Investigate all files, network connections, and child processes they spawned.
actor.processactor.userprocessd3f:ProcessTerminationd3f:AccountLockingd3f:NetworkIsolationOCSF event model▼
Event class: Process Activity (1007)
· activity_id: Inject
%%{init: {"theme": "dark", "themeVariables": {"edgeLabelBackground": "#18181b", "lineColor": "#52525b"}}}%%
graph TD
classDef attacker fill:#7c2d12,stroke:#ea580c,color:#fed7aa
classDef victim fill:#1e3a5f,stroke:#3b82f6,color:#bfdbfe
classDef postSuccess fill:#78350f,stroke:#d97706,color:#fde68a
classDef tainted fill:#18181b,stroke:#52525b,color:#a1a1aa
EVENT(["Process Activity\n· Inject"])
actor_process["Injector Process\nactor.process\nd3f:Process"]:::attacker
actor_user["Running Account\nactor.user\nd3f:UserAccount"]:::attacker
target_process["Target Process\nprocess\nd3f:Process"]:::postSuccess
device["Host\ndevice\nd3f:Host\n⚠ tainted"]:::tainted
EVENT --> actor_process
actor_process --> actor_user
EVENT --> target_process
EVENT --> device
actor_process -.->|"injects into"| target_processactor.process·d3f:Processactor.process.pid | variable | Source process identifier — must be present, OS-assigned |
actor.process.file.path | attacker_controlled | Injector binary path — attacker-chosen, easily changed |
actor.process.file.hash | attacker_controlled | Injector hash — trivially changed per recompile |
d3f:ProcessTerminationactor.user·d3f:UserAccountd3f:AccountLockingprocess·d3f:Processprocess.pid | variable | Target process identifier — must be present, OS-assigned |
process.file.path | attacker_controlled | Target binary — attacker-chosen from available processes |
d3f:ProcessTerminationdevice·d3f:Hostd3f:NetworkIsolationDefinitional Sigma rule▼
Broad by design — defines the technique, not an operational alert. Gate on variable or attacker-controlled field conditions to narrow for production use.
title: Process Injection (T1055)
status: experimental
description: >
Definitional rule — broad by design. Defines the technique independent of
medium, tool, or attacker-controlled variables. Narrow with variable and
attacker-controlled field conditions for operational use.
logsource:
product: ocsf
category: Process Activity (1007)
detection:
selection:
activity_id: 'Inject'
condition: selectionSeen in the wild1report▼
GammaSteel achieves fileless execution by hijacking the Windows Color System Calibration Loader COM object under HKCU, loading attacker-controlled code into an existing process context.