creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/detecting-process-hollowing-technique/references/api-reference.md
T

1.1 KiB
Raw Blame History

API Reference: Detecting Process Hollowing Technique

Process Hollowing API Sequence

Step API Call Purpose
1 CreateProcess(SUSPENDED) Create target suspended
2 NtUnmapViewOfSection Unmap legitimate code
3 VirtualAllocEx Allocate for payload
4 WriteProcessMemory Write malicious code
5 SetThreadContext Redirect execution
6 ResumeThread Execute payload

Commonly Hollowed Processes

Process Reason
svchost.exe Trusted, always running
explorer.exe UI process
notepad.exe Simple, rarely monitored
dllhost.exe COM surrogate

Sysmon Detection Events

Event ID Detection
1 Suspicious parent-child
8 CreateRemoteThread into hollowed target
10 Process Access with PROCESS_ALL_ACCESS

Splunk SPL

index=sysmon EventCode=10
| where TargetImage IN ("*\svchost.exe","*\explorer.exe")
| where GrantedAccess IN ("0x1FFFFF","0x1F3FFF")
| table _time SourceImage TargetImage GrantedAccess Computer

CLI Usage

python agent.py --sysmon-log Sysmon.evtx
Reference in New Issue View Git Blame Copy Permalink