DET0106 Behavioral Detection of PE Injection via Remote Memory Mapping

Item	Value
ID	DET0106
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1055.002 (Portable Executable Injection)

Analytics

Windows

AN0297

Detects PE injection through a behavioral sequence where one process opens (OpenProcess) a handle to another, allocates remote memory (VirtualAllocEx), writes a PE header (MZ) or shellcode (WriteProcessMemory), then initiates a new thread (CreateRemoteThread or NtCreateThreadEx) in that process—executing injected code in memory without touching disk. Optional: injects a trampoline or shellcode that unpacks/reflectively maps the payload.

Log Sources

Data Component	Name	Channel
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
Process Modification (DC0020)	WinEventLog:Sysmon	EventCode=8
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11

Mutable Elements

Field	Description
PayloadEntropyThreshold	Controls for detecting high-entropy memory writes indicating shellcode or encrypted PE
TargetProcessList	High-value or sensitive processes that should never have remote threads injected
TimeWindow	Max allowed delay between memory write and thread execution
ParentProcessAnomalyThreshold	Used to filter legitimate process hierarchies vs anomalous injection sources