DET0295 Behavioral Detection of Thread Execution Hijacking via Thread Suspension and Context Switching

Item	Value
ID	DET0295
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1055.003 (Thread Execution Hijacking)

Analytics

Windows

AN0822

Detects hijacking of an existing thread (OpenThread) through a behavioral chain involving thread suspension (SuspendThread), memory modification (VirtualAllocEx + WriteProcessMemory), context manipulation (SetThreadContext), and thread resumption—all within another live process’s address space (ResumeThread).

Log Sources

Data Component	Name	Channel
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
Process Modification (DC0020)	WinEventLog:Sysmon	EventCode=8
OS API Execution (DC0021)	etw:Microsoft-Windows-Kernel-Process	API Calls
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1

Mutable Elements

Field	Description
TargetProcessList	Sensitive processes that should never be targeted for thread hijack attempts
TimeWindow	Expected delay between SuspendThread and ResumeThread events; tight thresholds reduce evasion
SuspiciousThreadContextRegions	Memory regions or offsets that should not be targeted for SetThreadContext
ParentProcessAnomalyThreshold	Score deviation of the parent/child relationship in a thread injection chain