How to detect Process Injection with Log360

Understanding the threat- What is Process Injection?

Process injection is a technique in which attackers insert malicious code into the memory space of a legitimate process, allowing the payload to run under a trusted application's identity. This helps adversaries bypass application allow listing, hide malicious behavior, and evade traditional signature-based detection. Common methods include Dynamic Link Library(DLL) injection, process hollowing, Asynchronous Procedure Call (APC) injection, and remote thread creation. When successful, it blends the attacker’s actions with normal system activity. As a result, endpoint security tools often struggle to distinguish malicious actions from legitimate process behavior.

Attackers frequently abuse legitimate signed Windows binaries, like mavinject.exe, to perform stealthy injections. They may also rename these binaries or run them from non-standard paths to evade monitoring and bypass security controls. After injecting code into a process such as conhost.exe, the attacker gains elevated privileges or persistence while remaining hidden. This allows subsequent malicious actions like command execution, credential theft, or lateral movement to appear benign. Without robust monitoring of process creation, Dynamic Link Library (DLL) loads, and parent–child anomalies, such attacks can go undetected.

Category

Endpoint

Relevant MITRE ATT&CK mapping

• TA0005 – Defense Evasion: T1055 (Process Injection).
• TA0003 – Persistence / T1218.013 (System Binary Proxy Execution: mavinject.exe) - abuse of mavinject.exe for DLL injection

Scenario

During a routine overnight health check, a Security Operations Center (SOC) analyst at a financial services company noticed a sudden CPU spike on an application server that typically showed minimal activity after business hours. Initial process listings looked normal, with trusted Windows binaries like conhost.exe and svchost.exe running as expected. However, deeper event log inspection revealed that conhost.exe had spawned at an unusual time and under a user context that did not match its regular operational pattern.

As the team investigated further, they found traces of mavinject.exe being executed earlier in the evening—an uncommon event on this server. Even more suspicious, another execution of what appeared to be a renamed version of mavinject.exe came from a temporary directory, indicating an attempt to mask the injection source. These binaries had injected malicious DLLs into conhost.exe, enabling the attacker to run code invisibly while leveraging a legitimate Windows process. Since the organization lacked monitoring for code injection events or parent–child anomalies, the attack persisted undetected until performance degradation revealed something was wrong.

What went wrong

• No monitoring for DLL injection activity: The environment did not track execution of process injection tools like mavinject.exe or its renamed variants, allowing malicious code to enter trusted processes unnoticed.
• Lack of parent–child process validation:Conhost.exe creating child processes or behaving abnormally was not monitored, so the attacker used it to hide malicious threads without generating alerts.
• Blind spots around renamed LOLBins: The attacker’s use of a renamed system binary bypassed existing allow listing, which only tracked original filenames and paths.
• Insufficient baseline for normal process behavior: The SOC had no behavior-based thresholds for unusual process launches at odd hours, making the suspicious activity appear normal.
• Privileged account compromise went undetected: The injection was performed using an account with legitimate privileges, and without UEBA, its unusual execution patterns were never flagged.

How process-injection monitoring helps

• Detects use of injection tools: Monitoring for mavinject.exe and its renamed variants allows immediate detection of DLL injection attempts into trusted system processes.
• Flags suspicious parent–child process chains: Alerts trigger when conhost.exe or similar Windows processes spawn unexpected children or load abnormal DLLs.
• Identifies tampering with trusted binaries: File integrity and path checks detect renamed or relocated LOLBins (Living Off the Land Binaries) used to bypass application controls.
• Highlights abnormal process execution patterns: Behavior analytics catches unusual execution times, high-frequency launches, or spikes in process activity that signal injection attempts.
• Exposes privileged account misuse: UEBA correlates process injection events with account behavior, surfacing anomalies that indicate compromised admin accounts.

Real-world Trends in Process Injection

• Increasing use in ransomware delivery chains Modern ransomware groups use process injection to hide malicious payloads inside legitimate processes like explorer.exe or svchost.exe, helping them evade EDRs and run encryption routines without being flagged.
• Living-off-the-land (LotL) injection techniques rising Attackers increasingly rely on built-in Windows utilities such as mavinject.exe to inject DLLs discreetly. This reduces the need for custom malware and makes their activity blend in with normal system operations.
• Adoption of stealthier, file less injection methods Many threat actors now inject code directly into memory using techniques such as APC injection or thread hijacking. These methods leave minimal artifacts on disk, making detection and forensic investigation significantly harder.

Prerequisites

• Sysmon Deployment & Auditing Enabled:

  Ensure Sysmon is installed with a configuration that captures process creation, image loading, and DLL injection events (Event IDs 1, 7, 8, and 10).

• Log360 Integrated & Configured:

  All critical servers, endpoints, and domain controllers must be added as log sources, with Sysmon and Windows Security logs flowing consistently.

• UEBA Baselines Established:

  Normal process behaviors, especially around conhost.exe, mavinject.exe, and DLL loads, should be baseline-profiled to detect deviations.

• Privileged & High-Risk Process Monitoring:

  Ensure monitoring is enabled for administrative tools and system utilities commonly abused for injection, including renamed binaries.

How Log360 Detects Process Injection

Step 1: Collect Windows process, Sysmon, and command-line logs

To detect process injection, Log360 must ingest detailed process-level telemetry from Windows endpoints.

Configure log ingestion:

Log360 helps analysts identify the malicious use of trusted system binaries by surfacing suspicious executions, providing investigation tools, and enabling rapid incident handling. Here’s how:

• Navigate to Settings > Log Sources > Windows Devices and ensure all critical servers, workstations, and domain controllers are added.
• Enable collection of:
  • Windows Security Logs (Event ID 4688 – Process Creation)
  • Sysmon Logs (Event IDs: 1, 7, 8, 10, 11)
  • Application and System Logs for process anomalies.
• Enable Sysmon with a recommended config that logs:
  • ImageLoad events (Event ID 7) → detects suspicious DLL loads.
  • CreateRemoteThread (Event ID 8) → core indicator of injection.
  • ProcessAccess (Event ID 10) → unusual handle access to high-privilege processes.
  • FileCreate events for newly dropped or renamed executables such as renamed mavinject.exe.

Log360 parses these logs automatically and indexes them for search, correlation, and alerting.

Step 2: Establish normal process behavior baselines

Process injection is typically detected by spotting behavior that deviates from normal process activity.

Go to UEBA > Baselines and allow Log360 to learn typical patterns such as:

• Normal parent–child process relationships (e.g., conhost.exe normally spawns cmd.exe or powershell.exe—not unknown binaries)
• Expected DLL load behavior for system processes
• Legitimate usage patterns of signed Microsoft tools (including mavinject.exe and conhost.exe )
• Usual memory-access behavior between processes
• Expected execution times for administrative utilities

Once these baselines are established, Log360 can highlight anomalies such as:

• A renamed binary attempting injection
• conhost.exe spawning unusual processes
• Off-hours execution of tools rarely used in the environment
• Unexpected handle access to system processes

Step 3: Review process-related security reports

After baselines are configured, review Log360’s built-in reports for injected or tampered process activity.

Navigate to Reports > Endpoint Security > Process Monitoring.

Key report groups to monitor:

• Suspicious Process Creation Report

  Flags processes spawned with odd command-line arguments or unexpected parent–child patterns.

• Image Load (DLL Load) Report

  Highlights DLLs loaded from non-standard locations, unsigned DLLs, or unusual injection patterns.

• CreateRemoteThread Activity Report (Sysmon ID 8)

  Lists processes attempting to write to or execute inside another process’s memory space.

• Process Access Report (Sysmon ID 10)

  Highlights processes attempting to open handles to critical system processes.

• Uncommon Child Process of Conhost.exe

  Flags situations where conhost.exe launches unexpected binaries.

These reports help the SOC detect early signs of injection and privilege escalation.

Step 4: Correlate injection indicators using correlation rules

Log360 uses correlation rules to connect multiple suspicious activities that together indicate process injection.

Go to Correlation > Create Rule and add conditions such as:

• DLL loads into privileged processes from unexpected paths
• Renamed mavinject.exe execution followed by DLL injection behavior
• CreateRemoteThread events targeting lsass.exe, winlogon.exe, or browser processes
• Unusual child process of conhost.exe created shortly after a suspicious user login
• Process spawning with encoded or obfuscated command-line arguments

The correlation engine links these signals and generates alerts when an injection pattern is recognized across multiple logs.

Step 5: Configure real-time alerts for injection behavior

Immediate alerting helps stop credential theft, malware loading, or memory attacks .

Navigate to Alerts > Manage Profiles > Add Alert Profile or import built-in threat detection rules from:

Settings > Marketplace > Installed Extensions > Windows / Sysmon Threat Detection

Enable alerts for:

• CreateRemoteThread events on critical processes
• DLL injection via mavinject.exe or renamed variants
• Unusual process access to LSASS, winlogon, or browser processes
• Unexpected conhost.exe child processes
• Injection-like behavior from untrusted or unsigned binaries
• Configure notification channels such as email, SMS, Teams, Slack, or ticketing tools.

Next steps

• Investigate suspicious processes

  Review all alerts tied to unusual parent–child processes and injected DLL activity.

• Validate executions with IT teams

  Confirm whether flagged binaries or command-line executions align with approved maintenance.

• Contain compromised endpoints

  Isolate affected machines, terminate malicious processes, and reset involved credentials.

• Identify root cause of injection

  Determine how the attacker gained execution and map related lateral movement attempts.

• Strengthen monitoring and rules

  Refine Log360 correlation logic and baseline models to improve future detection accuracy.