Files
Anthropic-Cybersecurity-Skills/skills/hunting-for-process-injection-techniques/SKILL.md
T
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-01 12:13:29 +02:00

2.6 KiB

name, description, domain, subdomain, tags, version, author, license, d3fend_techniques, nist_csf, mitre_attack
name description domain subdomain tags version author license d3fend_techniques nist_csf mitre_attack
hunting-for-process-injection-techniques Detect process injection techniques (T1055) including CreateRemoteThread, process hollowing, and DLL injection via Sysmon Event IDs 8 and 10 and EDR process telemetry cybersecurity threat-hunting
process-injection
t1055
sysmon
createremotethread
dll-injection
edr
threat-hunting
1.0 mahipal Apache-2.0
Executable Denylisting
Execution Isolation
File Metadata Consistency Validation
Content Format Conversion
File Content Analysis
DE.CM-01
DE.AE-02
DE.AE-07
ID.RA-05
T1046
T1057
T1082
T1083
T1055

Hunting for Process Injection Techniques

Overview

Process injection (MITRE ATT&CK T1055) allows adversaries to execute code in the address space of another process, enabling defense evasion and privilege escalation. This skill detects injection techniques via Sysmon Event ID 8 (CreateRemoteThread), Event ID 10 (ProcessAccess with suspicious access rights), and analysis of source-target process relationships to distinguish legitimate from malicious injection.

When to Use

  • When investigating security incidents that require hunting for process injection techniques
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Sysmon installed with Event IDs 8 and 10 enabled
  • Process creation logs (Sysmon Event ID 1 or Windows 4688)
  • Python 3.8+ with standard library
  • JSON-formatted Sysmon event logs

Steps

  1. Parse Sysmon Events — Ingest Event IDs 1, 8, and 10 from JSON log files
  2. Detect CreateRemoteThread — Flag Event ID 8 with suspicious source-target process pairs
  3. Analyze ProcessAccess Rights — Identify Event ID 10 with dangerous access masks (PROCESS_VM_WRITE, PROCESS_CREATE_THREAD)
  4. Build Process Relationship Graph — Map source-to-target injection relationships
  5. Filter Known Legitimate Pairs — Exclude known benign injection patterns (AV, debuggers, system processes)
  6. Score Injection Severity — Apply risk scoring based on source process, target process, and access rights
  7. Generate Hunt Report — Produce structured report with MITRE sub-technique mapping

Expected Output

  • JSON report of detected injection events with severity scores
  • Process injection relationship graph
  • MITRE ATT&CK sub-technique mapping (T1055.001-T1055.012)
  • False positive exclusion recommendations