Hunting for Process Injection Techniques
Overview
Process injection (MITRE ATT&CK T1055) allows adversaries to execute code in the address space of another process, enabling defense evasion and privilege escalation. This skill detects injection techniques via Sysmon Event ID 8 (CreateRemoteThread), Event ID 10 (ProcessAccess with suspicious access rights), and analysis of source-target process relationships to distinguish legitimate from malicious injection.
Prerequisites
- Sysmon installed with Event IDs 8 and 10 enabled
- Process creation logs (Sysmon Event ID 1 or Windows 4688)
- Python 3.8+ with standard library
- JSON-formatted Sysmon event logs
Steps
-
Parse Sysmon Events — Ingest Event IDs 1, 8, and 10 from JSON log files
-
Detect CreateRemoteThread — Flag Event ID 8 with suspicious source-target process pairs
-
Analyze ProcessAccess Rights — Identify Event ID 10 with dangerous access masks (PROCESS_VM_WRITE, PROCESS_CREATE_THREAD)
-
Build Process Relationship Graph — Map source-to-target injection relationships
-
Filter Known Legitimate Pairs — Exclude known benign injection patterns (AV, debuggers, system processes)
-
Score Injection Severity — Apply risk scoring based on source process, target process, and access rights
-
Generate Hunt Report — Produce structured report with MITRE sub-technique mapping
Expected Output
- JSON report of detected injection events with severity scores
- Process injection relationship graph
- MITRE ATT&CK sub-technique mapping (T1055.001-T1055.012)
- False positive exclusion recommendations
