creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/detecting-process-hollowing-technique/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.3 KiB
Raw Blame History

API Reference: Process Hollowing Detection

MITRE ATT&CK Mapping

  • Technique: T1055.012 — Process Hollowing
  • Tactic: Defense Evasion, Privilege Escalation

Windows API Functions Used in Hollowing

CreateProcessA/W (kernel32.dll)

BOOL CreateProcessW(
    LPCWSTR lpApplicationName,
    LPWSTR lpCommandLine,
    LPSECURITY_ATTRIBUTES lpProcessAttributes,
    LPSECURITY_ATTRIBUTES lpThreadAttributes,
    BOOL bInheritHandles,
    DWORD dwCreationFlags,       // CREATE_SUSPENDED = 0x4
    LPVOID lpEnvironment,
    LPCWSTR lpCurrentDirectory,
    LPSTARTUPINFOW lpStartupInfo,
    LPPROCESS_INFORMATION lpProcessInformation
);

NtUnmapViewOfSection (ntdll.dll)

NTSTATUS NtUnmapViewOfSection(
    HANDLE ProcessHandle,
    PVOID BaseAddress
);

VirtualAllocEx (kernel32.dll)

LPVOID VirtualAllocEx(
    HANDLE hProcess,
    LPVOID lpAddress,
    SIZE_T dwSize,
    DWORD flAllocationType,
    DWORD flProtect          // PAGE_EXECUTE_READWRITE = 0x40
);

WriteProcessMemory (kernel32.dll)

BOOL WriteProcessMemory(
    HANDLE hProcess,
    LPVOID lpBaseAddress,
    LPCVOID lpBuffer,
    SIZE_T nSize,
    SIZE_T *lpNumberOfBytesWritten
);

ResumeThread (kernel32.dll)

DWORD ResumeThread(HANDLE hThread);

Detection via Linux /proc Filesystem

/proc/[pid]/exe

Symlink to the actual executable. If deleted or replaced, shows (deleted).

/proc/[pid]/maps

address           perms offset  dev   inode   pathname
00400000-00452000 r-xp 00000000 08:02 173521 /usr/bin/target

/proc/[pid]/status

Name:   svchost
Pid:    1234
PPid:   567
VmExe:  512 kB

Sysmon Event IDs for Detection

Event ID Description
1 Process Create (check CREATE_SUSPENDED flag)
8 CreateRemoteThread
10 ProcessAccess (PROCESS_VM_WRITE + PROCESS_VM_OPERATION)
25 ProcessTampering (image replaced)

PowerShell Detection Queries

Get process with module mismatch

Get-Process | Where-Object {
    $_.Path -and $_.MainModule.FileName -and
    ($_.Path -ne $_.MainModule.FileName)
}

Check for suspended child processes

Get-CimInstance Win32_Process | Where-Object {
    $_.ExecutionState -eq 'Suspended'
} | Select-Object ProcessId, Name, ParentProcessId, CommandLine
Reference in New Issue View Git Blame Copy Permalink