creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
3fbae3f3a4441dc64a1ec2e02c573ef4b40ba3b8
Anthropic-Cybersecurity-Skills/skills/detecting-process-injection-techniques/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.6 KiB
Raw Blame History

Process Injection Detection API Reference

Volatility 3 Plugins

# Detect injected code (RWX memory, PE headers in non-image VADs)
vol3 -f memory.dmp windows.malfind
vol3 -f memory.dmp windows.malfind --pid 1234

# List processes
vol3 -f memory.dmp windows.pslist

# Scan for hidden processes
vol3 -f memory.dmp windows.psscan

# List DLLs for a process
vol3 -f memory.dmp windows.dlllist --pid 1234

# Dump injected code
vol3 -f memory.dmp windows.malfind --dump --pid 1234

# List threads
vol3 -f memory.dmp windows.threads --pid 1234

# VAD tree (memory regions)
vol3 -f memory.dmp windows.vadinfo --pid 1234

Injection Techniques and API Sequences

Technique API Sequence
Classic DLL OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread
Process Hollowing CreateProcess(SUSPENDED) -> NtUnmapViewOfSection -> WriteProcessMemory -> ResumeThread
APC Injection OpenThread -> VirtualAllocEx -> WriteProcessMemory -> QueueUserAPC
Reflective DLL VirtualAlloc -> memcpy -> CreateThread (in-process)
Thread Hijacking OpenThread -> SuspendThread -> SetThreadContext -> ResumeThread

Sysmon Event IDs for Injection

Event ID Name Relevance
1 ProcessCreate Hollowed process creation (SUSPENDED)
7 ImageLoaded Reflective DLL loads (unsigned)
8 CreateRemoteThread Classic injection indicator
10 ProcessAccess PROCESS_VM_WRITE + PROCESS_CREATE_THREAD
25 ProcessTampering Image file replaced (hollowing)

Sysmon Config for Injection Detection

<Sysmon schemaversion="4.90">
  <EventFiltering>
    <ProcessAccess onmatch="include">
      <GrantedAccess condition="is">0x1F0FFF</GrantedAccess>
      <GrantedAccess condition="is">0x1FFFFF</GrantedAccess>
    </ProcessAccess>
    <CreateRemoteThread onmatch="exclude">
      <SourceImage condition="is">C:\Windows\System32\csrss.exe</SourceImage>
    </CreateRemoteThread>
  </EventFiltering>
</Sysmon>

python-evtx Usage

import Evtx.Evtx as evtx

with evtx.Evtx("Sysmon.evtx") as log:
    for record in log.records():
        xml = record.xml()
        if "<EventID>8</EventID>" in xml:
            print("CreateRemoteThread:", record.timestamp())

Suspicious Parent-Child Relationships

Parent Child Indicator
winword.exe cmd.exe, powershell.exe Macro execution
svchost.exe cmd.exe, powershell.exe Service-based injection
explorer.exe mshta.exe COM hijack / LNK abuse
outlook.exe powershell.exe Email macro execution
Reference in New Issue View Git Blame Copy Permalink