Process Injection: DLL Injection
Process Write ProcessSegment — Write a DLL or shellcode into a target process's address space and execute it by spawning a remote thread via CreateRemoteThread.
Detect
api.name is not OCSF native — requires an extension. Without it, this sub-technique is indistinguishable from other injection variants at the event level. Practical detection via Sysmon EID 8 (CreateRemoteThread) uses source/target process relationship filters — STP 3, as the injection primitive is an attacker-chosen Execution Medium.
Until api.name is available in OCSF, use Sysmon Event ID 8 (CreateRemoteThread) with source/target process relationship filters. Suspicious cross-process thread creation (e.g. browser → system process) is the highest-signal pattern.
Mitigate
ACG/CIG operate at the kernel level against the ProcessSegment write — they cannot be bypassed by switching injection primitive.
Enable ACG and Code Integrity Guard (CIG). These controls are technique-level — they apply to all T1055 sub-techniques regardless of injection primitive.
Respond
The target process now executes attacker-controlled code. Kill the injector process and the compromised target immediately. Investigate all files, network connections, and child processes they spawned.
actor.processapiprocessd3f:ProcessTerminationd3f:NetworkIsolationOCSF event model▼
Event class: Process Activity (1007)
· activity_id: Inject
%%{init: {"theme": "dark", "themeVariables": {"edgeLabelBackground": "#18181b", "lineColor": "#52525b"}}}%%
graph TD
classDef attacker fill:#7c2d12,stroke:#ea580c,color:#fed7aa
classDef victim fill:#1e3a5f,stroke:#3b82f6,color:#bfdbfe
classDef postSuccess fill:#78350f,stroke:#d97706,color:#fde68a
classDef tainted fill:#18181b,stroke:#52525b,color:#a1a1aa
EVENT(["Process Activity\n· Inject"])
actor_process["Injector Process\nactor.process\nd3f:Process"]:::attacker
target_process["Target Process\nprocess\nd3f:Process"]:::postSuccess
injection_api["Injection Primitive\napi\nd3f:SystemCall"]:::attacker
device["Host\ndevice\nd3f:Host\n⚠ tainted"]:::tainted
EVENT --> actor_process
EVENT --> target_process
EVENT --> injection_api
EVENT --> device
actor_process -.->|"injects into"| target_processactor.process·d3f:Processactor.process.file.path | attacker_controlled | Injector binary path — attacker-chosen, easily changed |
d3f:ProcessTerminationprocess·d3f:Processprocess.pid | variable | Target process identifier — OS-assigned, varies per execution |
d3f:ProcessTerminationapi·d3f:SystemCallapi.name | invariant | = CreateRemoteThread |
device·d3f:Hostd3f:NetworkIsolationDefinitional Sigma rule▼
Broad by design — defines the technique, not an operational alert. Gate on variable or attacker-controlled field conditions to narrow for production use.
title: Process Injection: DLL Injection (T1055.001)
status: experimental
description: >
Definitional rule — broad by design. Defines the technique independent of
medium, tool, or attacker-controlled variables. Narrow with variable and
attacker-controlled field conditions for operational use.
logsource:
product: ocsf
category: Process Activity (1007)
detection:
selection:
activity_id: 'Inject'
api.name: 'CreateRemoteThread'
condition: selection