creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/detecting-t1055-process-injection-with-sysmon/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

2.7 KiB
Raw Blame History

API Reference: T1055 Process Injection Detection with Sysmon

MITRE ATT&CK T1055 Sub-Techniques

Sub-technique Method Sysmon Event
T1055.001 DLL Injection Event 7, 8, 10
T1055.002 PE Injection Event 8, 10
T1055.003 Thread Execution Hijacking Event 8
T1055.004 Asynchronous Procedure Call Event 8, 10
T1055.005 Thread Local Storage Event 8
T1055.012 Process Hollowing Event 1, 10, 25

Sysmon Event IDs

Event 8 — CreateRemoteThread

Field Index Description
SourceProcessGuid 1 GUID of injecting process
SourceProcessId 2 PID of injecting process
SourceImage 4 Path of injecting binary
TargetProcessGuid 5 GUID of target process
TargetProcessId 6 PID of target process
TargetImage 7 Path of target binary
StartAddress 8 Thread start address
StartFunction 9 Thread entry function

Event 10 — ProcessAccess

Field Index Description
SourceProcessId 3 Accessing PID
SourceImage 4 Accessing binary path
TargetProcessId 7 Accessed PID
TargetImage 8 Accessed binary path
GrantedAccess 10 Access rights mask

Event 7 — Image Loaded

Field Index Description
Image 3 Process that loaded DLL
ImageLoaded 5 DLL path
Signed 6 Signature status
SignatureStatus 8 Valid/Invalid/Unknown

Process Access Masks

Mask Right Injection Use
0x0008 PROCESS_VM_OPERATION VirtualAllocEx
0x0010 PROCESS_VM_READ ReadProcessMemory
0x0020 PROCESS_VM_WRITE WriteProcessMemory
0x0800 PROCESS_SUSPEND_RESUME Hollowing
0x001F0FFF PROCESS_ALL_ACCESS Full control

Sysmon Configuration for Injection Detection

<Sysmon>
  <EventFiltering>
    <ProcessAccess onmatch="include">
      <GrantedAccess condition="is">0x1F0FFF</GrantedAccess>
      <GrantedAccess condition="is">0x001F0FFF</GrantedAccess>
    </ProcessAccess>
    <CreateRemoteThread onmatch="exclude">
      <SourceImage condition="is">C:\Windows\System32\svchost.exe</SourceImage>
    </CreateRemoteThread>
  </EventFiltering>
</Sysmon>

Sigma Rule Example

title: CreateRemoteThread into System Process
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        TargetImage|endswith:
            - '\svchost.exe'
            - '\explorer.exe'
            - '\lsass.exe'
    filter:
        SourceImage|startswith: 'C:\Windows\System32\'
    condition: selection and not filter
level: critical
Reference in New Issue View Git Blame Copy Permalink