detecting-t1055-process-injection-with-sysmon

# Detecting T1055 Process Injection with Sysmon ## When to Use - When hunting for defense evasion techniques that hide malicious code inside legitimate processes - After EDR alerts for suspicious cross-process memory access or remote thread creation - When investigating malware that injects into svchost.exe, explorer.exe, or other system processes - During purple team exercises testing detection of process injection variants - When validating Sysmon configuration coverage for injection detection ## Prerequisites - Sysmon deployed with comprehensive configuration capturing Events 1, 7, 8, 10, 25 - Event ID 8 (CreateRemoteThread) enabled for remote thread detection - Event ID 10 (ProcessAccess) configured with appropriate access mask filters - Event ID 7 (ImageLoaded) for DLL injection detection - Event ID 25 (ProcessTampering) for process hollowing on Sysmon 13+ - SIEM platform for correlation and alerting ## Workflow 1. **Monitor CreateRemoteThread (Event 8)**: Detect when one process creates a thread in another process's address space. This is the primary indicator of classic DLL injection and shellcode injection. 2. **Analyze ProcessAccess (Event 10)**: Track cross-process handle requests with PROCESS_VM_WRITE (0x0020), PROCESS_VM_OPERATION (0x0008), and PROCESS_CREATE_THREAD (0x0002) access rights. Legitimate processes rarely need these on other processes. 3. **Detect Anomalous DLL Loading (Event 7)**: Identify DLLs loaded from unusual paths (user temp directories, d...