mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 22:24:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
104 lines
2.3 KiB
Markdown
104 lines
2.3 KiB
Markdown
# API Reference: Process Hollowing Detection
|
|
|
|
## MITRE ATT&CK Mapping
|
|
- **Technique**: T1055.012 — Process Hollowing
|
|
- **Tactic**: Defense Evasion, Privilege Escalation
|
|
|
|
## Windows API Functions Used in Hollowing
|
|
|
|
### CreateProcessA/W (kernel32.dll)
|
|
```c
|
|
BOOL CreateProcessW(
|
|
LPCWSTR lpApplicationName,
|
|
LPWSTR lpCommandLine,
|
|
LPSECURITY_ATTRIBUTES lpProcessAttributes,
|
|
LPSECURITY_ATTRIBUTES lpThreadAttributes,
|
|
BOOL bInheritHandles,
|
|
DWORD dwCreationFlags, // CREATE_SUSPENDED = 0x4
|
|
LPVOID lpEnvironment,
|
|
LPCWSTR lpCurrentDirectory,
|
|
LPSTARTUPINFOW lpStartupInfo,
|
|
LPPROCESS_INFORMATION lpProcessInformation
|
|
);
|
|
```
|
|
|
|
### NtUnmapViewOfSection (ntdll.dll)
|
|
```c
|
|
NTSTATUS NtUnmapViewOfSection(
|
|
HANDLE ProcessHandle,
|
|
PVOID BaseAddress
|
|
);
|
|
```
|
|
|
|
### VirtualAllocEx (kernel32.dll)
|
|
```c
|
|
LPVOID VirtualAllocEx(
|
|
HANDLE hProcess,
|
|
LPVOID lpAddress,
|
|
SIZE_T dwSize,
|
|
DWORD flAllocationType,
|
|
DWORD flProtect // PAGE_EXECUTE_READWRITE = 0x40
|
|
);
|
|
```
|
|
|
|
### WriteProcessMemory (kernel32.dll)
|
|
```c
|
|
BOOL WriteProcessMemory(
|
|
HANDLE hProcess,
|
|
LPVOID lpBaseAddress,
|
|
LPCVOID lpBuffer,
|
|
SIZE_T nSize,
|
|
SIZE_T *lpNumberOfBytesWritten
|
|
);
|
|
```
|
|
|
|
### ResumeThread (kernel32.dll)
|
|
```c
|
|
DWORD ResumeThread(HANDLE hThread);
|
|
```
|
|
|
|
## Detection via Linux /proc Filesystem
|
|
|
|
### /proc/[pid]/exe
|
|
Symlink to the actual executable. If deleted or replaced, shows `(deleted)`.
|
|
|
|
### /proc/[pid]/maps
|
|
```
|
|
address perms offset dev inode pathname
|
|
00400000-00452000 r-xp 00000000 08:02 173521 /usr/bin/target
|
|
```
|
|
|
|
### /proc/[pid]/status
|
|
```
|
|
Name: svchost
|
|
Pid: 1234
|
|
PPid: 567
|
|
VmExe: 512 kB
|
|
```
|
|
|
|
## Sysmon Event IDs for Detection
|
|
|
|
| Event ID | Description |
|
|
|----------|-------------|
|
|
| 1 | Process Create (check CREATE_SUSPENDED flag) |
|
|
| 8 | CreateRemoteThread |
|
|
| 10 | ProcessAccess (PROCESS_VM_WRITE + PROCESS_VM_OPERATION) |
|
|
| 25 | ProcessTampering (image replaced) |
|
|
|
|
## PowerShell Detection Queries
|
|
|
|
### Get process with module mismatch
|
|
```powershell
|
|
Get-Process | Where-Object {
|
|
$_.Path -and $_.MainModule.FileName -and
|
|
($_.Path -ne $_.MainModule.FileName)
|
|
}
|
|
```
|
|
|
|
### Check for suspended child processes
|
|
```powershell
|
|
Get-CimInstance Win32_Process | Where-Object {
|
|
$_.ExecutionState -eq 'Suspended'
|
|
} | Select-Object ProcessId, Name, ParentProcessId, CommandLine
|
|
```
|