creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 06:34:57 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/detecting-process-injection-techniques/SKILL.md
T
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
2026-04-06 11:17:40 +02:00

365 lines
14 KiB
Markdown
Raw Blame History

---
name: detecting-process-injection-techniques
description: 'Detects and analyzes process injection techniques used by malware including classic DLL injection, process hollowing,
APC injection, thread hijacking, and reflective loading. Uses memory forensics, API monitoring, and behavioral analysis
to identify injection artifacts. Activates for requests involving process injection detection, code injection analysis,
hollowed process investigation, or in-memory threat detection.
'
domain: cybersecurity
subdomain: malware-analysis
tags:
- malware
- process-injection
- detection
- memory-forensics
- defense-evasion
version: 1.0.0
author: mahipal
license: Apache-2.0
d3fend_techniques:
- Executable Denylisting
- Execution Isolation
- File Metadata Consistency Validation
- Content Format Conversion
- File Content Analysis
nist_csf:
- DE.AE-02
- RS.AN-03
- ID.RA-01
- DE.CM-01
---
# Detecting Process Injection Techniques
## When to Use
- EDR alerts on suspicious API call sequences (VirtualAllocEx + WriteProcessMemory + CreateRemoteThread)
- A legitimate process (explorer.exe, svchost.exe) exhibits unexpected network connections or file operations
- Memory forensics reveals executable code in memory regions that should not contain it
- Investigating living-off-the-land attacks where malware hides inside trusted processes
- Building detection logic for specific injection techniques in EDR or SIEM rules
**Do not use** for standard DLL loading analysis; injection implies unauthorized code placement in a process without that process's cooperation.
## Prerequisites
- Volatility 3 for memory forensics analysis of injection artifacts
- Sysmon configured with Event IDs 8 (CreateRemoteThread) and 10 (ProcessAccess)
- API Monitor or x64dbg for observing injection API calls in real-time
- Process Hacker or Process Explorer for inspecting process memory regions
- Understanding of Windows memory management (VirtualAlloc, VAD, page protections)
- Isolated analysis environment for safe malware execution and monitoring
## Workflow
### Step 1: Identify Injection via Memory Forensics
Use Volatility to detect injected code in process memory:
```bash
# malfind: Primary injection detection plugin
vol3 -f memory.dmp windows.malfind
# malfind detects:
# - Memory regions with PAGE_EXECUTE_READWRITE (RWX) protection
# - PE headers (MZ signature) in non-image VAD entries
# - Executable memory not backed by a file on disk
# Filter by specific process
vol3 -f memory.dmp windows.malfind --pid 852
# Dump injected memory regions for analysis
vol3 -f memory.dmp windows.malfind --dump
# Check VAD (Virtual Address Descriptor) tree for anomalies
vol3 -f memory.dmp windows.vadinfo --pid 852
# Detect hollowed processes (mapped image doesn't match disk)
vol3 -f memory.dmp windows.hollowfind
```
### Step 2: Classify the Injection Technique
Identify which injection method was used based on artifacts:
```
Process Injection Techniques and Detection Artifacts:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Classic DLL Injection
APIs: OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread
Artifact: Loaded DLL in target process not present in known-good baseline
Detection: New DLL in dlllist not matching disk hash, CreateRemoteThread event
2. Process Hollowing (RunPE)
APIs: CreateProcess(SUSPENDED) -> NtUnmapViewOfSection -> VirtualAllocEx ->
WriteProcessMemory -> SetThreadContext -> ResumeThread
Artifact: Process image in memory doesn't match file on disk
Detection: hollowfind plugin, mismatched PE headers vs disk file
3. APC Injection
APIs: OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> QueueUserAPC
Artifact: Alertable thread has queued APC pointing to injected code
Detection: Thread start addresses outside known modules
4. Thread Hijacking
APIs: OpenProcess -> VirtualAllocEx -> WriteProcessMemory ->
SuspendThread -> GetThreadContext -> SetThreadContext -> ResumeThread
Artifact: Thread instruction pointer changed to injected code
Detection: Thread context modification, EIP/RIP outside module boundaries
5. Reflective DLL Injection
APIs: VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread (to reflective loader)
Artifact: DLL loaded in memory but NOT in loaded module list
Detection: malfind (PE in non-image memory), module not in ldrmodules
6. Process Doppelganging
APIs: NtCreateTransaction -> NtCreateFile(transacted) -> NtWriteFile ->
NtCreateSection -> NtRollbackTransaction -> NtCreateProcessEx
Artifact: Process created from transacted file that was rolled back
Detection: Process with no corresponding file on disk
7. AtomBombing
APIs: GlobalAddAtom -> NtQueueApcThread (with GlobalGetAtomName)
Artifact: Code stored in global atom table, APC triggers copy to target
Detection: Unusual atom table entries, APC injection indicators
```
### Step 3: Detect Injection via Sysmon Events
Analyze Sysmon and Windows Event Log data:
```bash
# Sysmon Event ID 8: CreateRemoteThread
# Detect when one process creates a thread in another
wevtutil qe "Microsoft-Windows-Sysmon/Operational" \
/q:"*[System[EventID=8]]" /f:text /c:20
# Sysmon Event ID 10: ProcessAccess
# Detect suspicious access rights to other processes
# DesiredAccess containing PROCESS_VM_WRITE (0x0020) + PROCESS_CREATE_THREAD (0x0002)
wevtutil qe "Microsoft-Windows-Sysmon/Operational" \
/q:"*[System[EventID=10]]" /f:text /c:20
# Sysmon Event ID 1: Process Creation
# Detect process hollowing via suspicious parent-child relationships
wevtutil qe "Microsoft-Windows-Sysmon/Operational" \
/q:"*[System[EventID=1]]" /f:text /c:20
```
```python
# Parse Sysmon events for injection indicators
import xml.etree.ElementTree as ET
import subprocess
# Query CreateRemoteThread events
result = subprocess.run(
["wevtutil", "qe", "Microsoft-Windows-Sysmon/Operational",
"/q:*[System[EventID=8]]", "/f:xml", "/c:100"],
capture_output=True, text=True
)
suspicious_injections = []
for event_xml in result.stdout.split("</Event>"):
if not event_xml.strip():
continue
try:
root = ET.fromstring(event_xml + "</Event>")
ns = {"e": "http://schemas.microsoft.com/win/2004/08/events/event"}
data = {}
for d in root.findall(".//e:EventData/e:Data", ns):
data[d.get("Name")] = d.text
source = data.get("SourceImage", "")
target = data.get("TargetImage", "")
# Flag injections from unusual sources into system processes
system_procs = ["svchost.exe", "explorer.exe", "lsass.exe", "winlogon.exe"]
if any(p in target.lower() for p in system_procs):
if not any(p in source.lower() for p in ["csrss.exe", "services.exe", "lsass.exe"]):
print(f"[!] Suspicious injection: {source} -> {target}")
suspicious_injections.append(data)
except:
pass
```
### Step 4: Analyze Injected Code
Examine the injected payload to understand its purpose:
```bash
# Dump injected code from Volatility malfind
vol3 -f memory.dmp windows.malfind --pid 852 --dump
# Analyze the dumped region
file malfind.*.dmp
# If it contains a PE (MZ header), analyze as a standalone executable
python3 << 'PYEOF'
import pefile
# Attempt to parse as PE
try:
pe = pefile.PE("malfind.852.0x400000.dmp")
print("Injected PE detected!")
print(f" Architecture: {'x64' if pe.FILE_HEADER.Machine == 0x8664 else 'x86'}")
print(f" Imports:")
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
for entry in pe.DIRECTORY_ENTRY_IMPORT:
print(f" {entry.dll.decode()}: {len(entry.imports)} functions")
except:
print("Not a valid PE - likely shellcode")
# Analyze as shellcode
with open("malfind.852.0x400000.dmp", "rb") as f:
shellcode = f.read()
print(f" Size: {len(shellcode)} bytes")
print(f" First bytes: {shellcode[:32].hex()}")
PYEOF
# Disassemble shellcode
python3 -c "
from capstone import Cs, CS_ARCH_X86, CS_MODE_64
with open('malfind.852.0x400000.dmp', 'rb') as f:
code = f.read()[:256]
md = Cs(CS_ARCH_X86, CS_MODE_64)
for insn in md.disasm(code, 0x400000):
print(f' 0x{insn.address:X}: {insn.mnemonic} {insn.op_str}')
"
# Scan with YARA for known payloads
vol3 -f memory.dmp yarascan.YaraScan --pid 852 --yara-file malware_rules.yar
```
### Step 5: Map to MITRE ATT&CK
Classify detected techniques in the ATT&CK framework:
```
MITRE ATT&CK Process Injection Sub-Techniques (T1055):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
T1055.001 Dynamic-link Library Injection
T1055.002 Portable Executable Injection
T1055.003 Thread Execution Hijacking
T1055.004 Asynchronous Procedure Call (APC)
T1055.005 Thread Local Storage
T1055.008 Ptrace System Calls (Linux)
T1055.009 Proc Memory (/proc/pid/mem - Linux)
T1055.011 Extra Window Memory Injection
T1055.012 Process Hollowing
T1055.013 Process Doppelganging
T1055.014 VDSO Hijacking (Linux)
T1055.015 ListPlanting
```
### Step 6: Create Detection Signatures
Build detection rules for the identified technique:
```yaml
# Sigma rule for CreateRemoteThread injection
title: Suspicious CreateRemoteThread into System Process
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 8
TargetImage|endswith:
- '\svchost.exe'
- '\explorer.exe'
- '\lsass.exe'
filter:
SourceImage|endswith:
- '\csrss.exe'
- '\services.exe'
- '\svchost.exe'
condition: selection and not filter
level: high
```
## Key Concepts
| Term | Definition |
|------|------------|
| **Process Injection** | Technique of executing code within the address space of another process, typically to evade detection and inherit the target's trust level |
| **Process Hollowing** | Creating a legitimate process in suspended state, unmapping its memory, writing malicious code, and resuming execution to masquerade as the legitimate process |
| **Reflective DLL Injection** | Loading a DLL into a process's memory without using the Windows loader, so the DLL does not appear in the loaded module list |
| **APC Injection** | Queuing an Asynchronous Procedure Call to a thread in the target process, causing it to execute injected code when the thread enters an alertable state |
| **VAD (Virtual Address Descriptor)** | Windows kernel structure describing memory regions in a process; anomalous VAD entries (RWX permissions, non-image PE) indicate injection |
| **CreateRemoteThread** | Windows API creating a thread in another process; the primary mechanism for classic DLL injection and many other injection techniques |
| **PAGE_EXECUTE_READWRITE** | Memory protection allowing read, write, and execute; rarely used by legitimate applications, common indicator of injected code |
## Tools & Systems
- **Volatility (malfind)**: Memory forensics plugin detecting injected code through VAD analysis and PE header scanning in non-image memory regions
- **Sysmon**: System Monitor providing detailed Windows event logging including CreateRemoteThread (EID 8) and ProcessAccess (EID 10)
- **Process Hacker**: Advanced process management tool showing detailed memory regions, thread stacks, and injected modules
- **API Monitor**: Windows tool for monitoring and logging API calls made by processes, useful for observing injection sequences in real-time
- **pe-sieve**: Tool scanning running processes for signs of code injection, hooking, and hollowing
## Common Scenarios
### Scenario: Investigating a Hollowed svchost.exe Process
**Context**: EDR alerts on svchost.exe making HTTPS connections to an external IP. Svchost.exe should only communicate with Microsoft services. Memory analysis is needed to confirm process hollowing.
**Approach**:
1. Capture memory dump of the suspicious svchost.exe process
2. Run Volatility `malfind` to detect injected PE in the process memory
3. Compare the in-memory image base with the on-disk svchost.exe file hash
4. Check the process parent (should be services.exe) and creation parameters
5. Dump the hollowed executable from memory and analyze with Ghidra
6. Run `netscan` to confirm the network connections from the hollowed process
7. Scan dumped code with YARA for malware family identification
**Pitfalls**:
- Assuming all svchost.exe instances are identical (each loads different service DLLs)
- Not checking the parent process (hollowed processes often have wrong parents)
- Relying only on process name matching (attackers specifically target svchost.exe because multiple instances are expected)
- Missing the injection source process that may have already terminated
## Output Format
```
PROCESS INJECTION ANALYSIS REPORT
====================================
Dump File: memory.dmp
Analysis Tool: Volatility 3.2 + Sysmon
INJECTION DETECTED
Target Process: svchost.exe (PID: 852)
Source Process: malware.exe (PID: 2184) [terminated]
Technique: Process Hollowing (T1055.012)
EVIDENCE
malfind Results:
PID 852 (svchost.exe):
Address: 0x00400000
Size: 184,320 bytes
Protection: PAGE_EXECUTE_READWRITE
Header: MZ (PE32 executable)
NOT backed by disk file
Process Verification:
Expected Image: C:\Windows\System32\svchost.exe (SHA-256: aaa...)
In-Memory Image: Unknown PE (SHA-256: bbb...)
Result: MISMATCH - HOLLOWED PROCESS
Sysmon Events:
[4688] malware.exe (PID 2184) created svchost.exe (PID 852) SUSPENDED
[10] malware.exe accessed svchost.exe with PROCESS_VM_WRITE
[8] malware.exe created remote thread in svchost.exe
INJECTED PAYLOAD ANALYSIS
SHA-256: bbb123def456...
YARA Match: CobaltStrike_Beacon_x64
Type: Cobalt Strike Beacon (HTTP)
C2: hxxps://185.220.101[.]42/updates
MITRE ATT&CK
T1055.012 Process Hollowing
T1071.001 Web Protocols (HTTPS C2)
T1036.005 Match Legitimate Name (svchost.exe)
```
Reference in New Issue View Git Blame Copy Permalink