creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
0fbcbdf8ddfc4342277f03b2ddb60be33ca6dcb1
Anthropic-Cybersecurity-Skills/skills/detecting-process-injection-techniques/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

85 lines
2.6 KiB
Markdown
Raw Blame History

# Process Injection Detection API Reference
## Volatility 3 Plugins
```bash
# Detect injected code (RWX memory, PE headers in non-image VADs)
vol3 -f memory.dmp windows.malfind
vol3 -f memory.dmp windows.malfind --pid 1234
# List processes
vol3 -f memory.dmp windows.pslist
# Scan for hidden processes
vol3 -f memory.dmp windows.psscan
# List DLLs for a process
vol3 -f memory.dmp windows.dlllist --pid 1234
# Dump injected code
vol3 -f memory.dmp windows.malfind --dump --pid 1234
# List threads
vol3 -f memory.dmp windows.threads --pid 1234
# VAD tree (memory regions)
vol3 -f memory.dmp windows.vadinfo --pid 1234
```
## Injection Techniques and API Sequences
| Technique | API Sequence |
|-----------|-------------|
| Classic DLL | OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread |
| Process Hollowing | CreateProcess(SUSPENDED) -> NtUnmapViewOfSection -> WriteProcessMemory -> ResumeThread |
| APC Injection | OpenThread -> VirtualAllocEx -> WriteProcessMemory -> QueueUserAPC |
| Reflective DLL | VirtualAlloc -> memcpy -> CreateThread (in-process) |
| Thread Hijacking | OpenThread -> SuspendThread -> SetThreadContext -> ResumeThread |
## Sysmon Event IDs for Injection
| Event ID | Name | Relevance |
|----------|------|-----------|
| 1 | ProcessCreate | Hollowed process creation (SUSPENDED) |
| 7 | ImageLoaded | Reflective DLL loads (unsigned) |
| 8 | CreateRemoteThread | Classic injection indicator |
| 10 | ProcessAccess | PROCESS_VM_WRITE + PROCESS_CREATE_THREAD |
| 25 | ProcessTampering | Image file replaced (hollowing) |
## Sysmon Config for Injection Detection
```xml
<Sysmon schemaversion="4.90">
<EventFiltering>
<ProcessAccess onmatch="include">
<GrantedAccess condition="is">0x1F0FFF</GrantedAccess>
<GrantedAccess condition="is">0x1FFFFF</GrantedAccess>
</ProcessAccess>
<CreateRemoteThread onmatch="exclude">
<SourceImage condition="is">C:\Windows\System32\csrss.exe</SourceImage>
</CreateRemoteThread>
</EventFiltering>
</Sysmon>
```
## python-evtx Usage
```python
import Evtx.Evtx as evtx
with evtx.Evtx("Sysmon.evtx") as log:
for record in log.records():
xml = record.xml()
if "<EventID>8</EventID>" in xml:
print("CreateRemoteThread:", record.timestamp())
```
## Suspicious Parent-Child Relationships
| Parent | Child | Indicator |
|--------|-------|-----------|
| winword.exe | cmd.exe, powershell.exe | Macro execution |
| svchost.exe | cmd.exe, powershell.exe | Service-based injection |
| explorer.exe | mshta.exe | COM hijack / LNK abuse |
| outlook.exe | powershell.exe | Email macro execution |
Reference in New Issue View Git Blame Copy Permalink