hunting-for-process-injection-techniques

Solid

Detect process injection techniques (T1055) including CreateRemoteThread, process hollowing, and DLL injection via Sysmon Event IDs 8 and 10 and EDR process telemetry

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
97
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Hunting for Process Injection Techniques ## Overview Process injection (MITRE ATT&CK T1055) allows adversaries to execute code in the address space of another process, enabling defense evasion and privilege escalation. This skill detects injection techniques via Sysmon Event ID 8 (CreateRemoteThread), Event ID 10 (ProcessAccess with suspicious access rights), and analysis of source-target process relationships to distinguish legitimate from malicious injection. ## When to Use - When investigating security incidents that require hunting for process injection techniques - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Sysmon installed with Event IDs 8 and 10 enabled - Process creation logs (Sysmon Event ID 1 or Windows 4688) - Python 3.8+ with standard library - JSON-formatted Sysmon event logs ## Steps 1. **Parse Sysmon Events** — Ingest Event IDs 1, 8, and 10 from JSON log files 2. **Detect CreateRemoteThread** — Flag Event ID 8 with suspicious source-target process pairs 3. **Analyze ProcessAccess Rights** — Identify Event ID 10 with dangerous access masks (PROCESS_VM_WRITE, PROCESS_CREATE_THREAD) 4. **Build Process Relationship Graph** — Map source-to-target injection relationships 5. **Filter Known Legitimate Pairs** — Exclude known benign injection patterns (AV, debuggers, ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-t1055-process-injection-with-sysmon

Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection by analyzing Sysmon events for cross-process memory operations, remote thread creation, and anomalous DLL loading patterns.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-process-injection-techniques

Detects and analyzes process injection techniques used by malware including classic DLL injection, process hollowing, APC injection, thread hijacking, and reflective loading. Uses memory forensics, API monitoring, and behavioral analysis to identify injection artifacts. Activates for requests involving process injection detection, code injection analysis, hollowed process investigation, or in-memory threat detection.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-process-hollowing-technique

Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child process anomalies in EDR telemetry.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-registry-persistence-mechanisms

Hunt for registry-based persistence mechanisms including Run keys, Winlogon modifications, IFEO injection, and COM hijacking in Windows environments.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-webshell-activity

Hunt for web shell deployments on internet-facing servers by analyzing file creation in web directories, suspicious process spawning from web servers, and anomalous HTTP patterns.

12,642 Updated today
mukul975