detecting-process-injection-techniques

Featured

Detects and analyzes process injection techniques used by malware including classic DLL injection, process hollowing, APC injection, thread hijacking, and reflective loading. Uses memory forensics, API monitoring, and behavioral analysis to identify injection artifacts. Activates for requests involving process injection detection, code injection analysis, hollowed process investigation, or in-memory threat detection.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Process Injection Techniques ## When to Use - EDR alerts on suspicious API call sequences (VirtualAllocEx + WriteProcessMemory + CreateRemoteThread) - A legitimate process (explorer.exe, svchost.exe) exhibits unexpected network connections or file operations - Memory forensics reveals executable code in memory regions that should not contain it - Investigating living-off-the-land attacks where malware hides inside trusted processes - Building detection logic for specific injection techniques in EDR or SIEM rules **Do not use** for standard DLL loading analysis; injection implies unauthorized code placement in a process without that process's cooperation. ## Prerequisites - Volatility 3 for memory forensics analysis of injection artifacts - Sysmon configured with Event IDs 8 (CreateRemoteThread) and 10 (ProcessAccess) - API Monitor or x64dbg for observing injection API calls in real-time - Process Hacker or Process Explorer for inspecting process memory regions - Understanding of Windows memory management (VirtualAlloc, VAD, page protections) - Isolated analysis environment for safe malware execution and monitoring ## Workflow ### Step 1: Identify Injection via Memory Forensics Use Volatility to detect injected code in process memory: ```bash # malfind: Primary injection detection plugin vol3 -f memory.dmp windows.malfind # malfind detects: # - Memory regions with PAGE_EXECUTE_READWRITE (RWX) protection # - PE headers (MZ signature) in non-image VAD entri...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

hunting-for-process-injection-techniques

Detect process injection techniques (T1055) including CreateRemoteThread, process hollowing, and DLL injection via Sysmon Event IDs 8 and 10 and EDR process telemetry

12,642 Updated today
mukul975
AI & Automation Featured

detecting-t1055-process-injection-with-sysmon

Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection by analyzing Sysmon events for cross-process memory operations, remote thread creation, and anomalous DLL loading patterns.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-process-hollowing-technique

Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child process anomalies in EDR telemetry.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-fileless-malware-techniques

Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection, registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk. Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI persistence examination.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-dll-sideloading-attacks

Detect DLL side-loading attacks where adversaries place malicious DLLs alongside legitimate applications to hijack execution flow for defense evasion.

12,642 Updated today
mukul975