creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/detecting-t1055-process-injection-with-sysmon/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

87 lines
2.7 KiB
Markdown
Raw Blame History

# API Reference: T1055 Process Injection Detection with Sysmon
## MITRE ATT&CK T1055 Sub-Techniques
| Sub-technique | Method | Sysmon Event |
|---------------|--------|--------------|
| T1055.001 | DLL Injection | Event 7, 8, 10 |
| T1055.002 | PE Injection | Event 8, 10 |
| T1055.003 | Thread Execution Hijacking | Event 8 |
| T1055.004 | Asynchronous Procedure Call | Event 8, 10 |
| T1055.005 | Thread Local Storage | Event 8 |
| T1055.012 | Process Hollowing | Event 1, 10, 25 |
## Sysmon Event IDs
### Event 8 — CreateRemoteThread
| Field | Index | Description |
|-------|-------|-------------|
| SourceProcessGuid | 1 | GUID of injecting process |
| SourceProcessId | 2 | PID of injecting process |
| SourceImage | 4 | Path of injecting binary |
| TargetProcessGuid | 5 | GUID of target process |
| TargetProcessId | 6 | PID of target process |
| TargetImage | 7 | Path of target binary |
| StartAddress | 8 | Thread start address |
| StartFunction | 9 | Thread entry function |
### Event 10 — ProcessAccess
| Field | Index | Description |
|-------|-------|-------------|
| SourceProcessId | 3 | Accessing PID |
| SourceImage | 4 | Accessing binary path |
| TargetProcessId | 7 | Accessed PID |
| TargetImage | 8 | Accessed binary path |
| GrantedAccess | 10 | Access rights mask |
### Event 7 — Image Loaded
| Field | Index | Description |
|-------|-------|-------------|
| Image | 3 | Process that loaded DLL |
| ImageLoaded | 5 | DLL path |
| Signed | 6 | Signature status |
| SignatureStatus | 8 | Valid/Invalid/Unknown |
## Process Access Masks
| Mask | Right | Injection Use |
|------|-------|---------------|
| 0x0008 | PROCESS_VM_OPERATION | VirtualAllocEx |
| 0x0010 | PROCESS_VM_READ | ReadProcessMemory |
| 0x0020 | PROCESS_VM_WRITE | WriteProcessMemory |
| 0x0800 | PROCESS_SUSPEND_RESUME | Hollowing |
| 0x001F0FFF | PROCESS_ALL_ACCESS | Full control |
## Sysmon Configuration for Injection Detection
```xml
<Sysmon>
<EventFiltering>
<ProcessAccess onmatch="include">
<GrantedAccess condition="is">0x1F0FFF</GrantedAccess>
<GrantedAccess condition="is">0x001F0FFF</GrantedAccess>
</ProcessAccess>
<CreateRemoteThread onmatch="exclude">
<SourceImage condition="is">C:\Windows\System32\svchost.exe</SourceImage>
</CreateRemoteThread>
</EventFiltering>
</Sysmon>
```
## Sigma Rule Example
```yaml
title: CreateRemoteThread into System Process
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith:
- '\svchost.exe'
- '\explorer.exe'
- '\lsass.exe'
filter:
SourceImage|startswith: 'C:\Windows\System32\'
condition: selection and not filter
level: critical
```
Reference in New Issue View Git Blame Copy Permalink