Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2026-06-12 22:24:56 +03:00 · 2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
@@ -0,0 +1,84 @@
+# Process Injection Detection API Reference
+
+## Volatility 3 Plugins
+
+```bash
+# Detect injected code (RWX memory, PE headers in non-image VADs)
+vol3 -f memory.dmp windows.malfind
+vol3 -f memory.dmp windows.malfind --pid 1234
+
+# List processes
+vol3 -f memory.dmp windows.pslist
+
+# Scan for hidden processes
+vol3 -f memory.dmp windows.psscan
+
+# List DLLs for a process
+vol3 -f memory.dmp windows.dlllist --pid 1234
+
+# Dump injected code
+vol3 -f memory.dmp windows.malfind --dump --pid 1234
+
+# List threads
+vol3 -f memory.dmp windows.threads --pid 1234
+
+# VAD tree (memory regions)
+vol3 -f memory.dmp windows.vadinfo --pid 1234
+```
+
+## Injection Techniques and API Sequences
+
+| Technique | API Sequence |
+|-----------|-------------|
+| Classic DLL | OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread |
+| Process Hollowing | CreateProcess(SUSPENDED) -> NtUnmapViewOfSection -> WriteProcessMemory -> ResumeThread |
+| APC Injection | OpenThread -> VirtualAllocEx -> WriteProcessMemory -> QueueUserAPC |
+| Reflective DLL | VirtualAlloc -> memcpy -> CreateThread (in-process) |
+| Thread Hijacking | OpenThread -> SuspendThread -> SetThreadContext -> ResumeThread |
+
+## Sysmon Event IDs for Injection
+
+| Event ID | Name | Relevance |
+|----------|------|-----------|
+| 1 | ProcessCreate | Hollowed process creation (SUSPENDED) |
+| 7 | ImageLoaded | Reflective DLL loads (unsigned) |
+| 8 | CreateRemoteThread | Classic injection indicator |
+| 10 | ProcessAccess | PROCESS_VM_WRITE + PROCESS_CREATE_THREAD |
+| 25 | ProcessTampering | Image file replaced (hollowing) |
+
+## Sysmon Config for Injection Detection
+
+```xml
+<Sysmon schemaversion="4.90">
+  <EventFiltering>
+    <ProcessAccess onmatch="include">
+      <GrantedAccess condition="is">0x1F0FFF</GrantedAccess>
+      <GrantedAccess condition="is">0x1FFFFF</GrantedAccess>
+    </ProcessAccess>
+    <CreateRemoteThread onmatch="exclude">
+      <SourceImage condition="is">C:\Windows\System32\csrss.exe</SourceImage>
+    </CreateRemoteThread>
+  </EventFiltering>
+</Sysmon>
+```
+
+## python-evtx Usage
+
+```python
+import Evtx.Evtx as evtx
+
+with evtx.Evtx("Sysmon.evtx") as log:
+    for record in log.records():
+        xml = record.xml()
+        if "<EventID>8</EventID>" in xml:
+            print("CreateRemoteThread:", record.timestamp())
+```
+
+## Suspicious Parent-Child Relationships
+
+| Parent | Child | Indicator |
+|--------|-------|-----------|
+| winword.exe | cmd.exe, powershell.exe | Macro execution |
+| svchost.exe | cmd.exe, powershell.exe | Service-based injection |
+| explorer.exe | mshta.exe | COM hijack / LNK abuse |
+| outlook.exe | powershell.exe | Email macro execution |