Skill UI

A comprehensive guide and methodology for detecting process hollowing (T1055.012). It involves advanced memory forensics, analyzing memory-mapped sections, and correlating parent-child process anomalies using EDR and Sysmon data to identify fileless and in-memory malware threats.

A comprehensive skill for detecting advanced malware techniques, including DLL injection, process hollowing, APC injection, and thread hijacking. Utilizes memory forensics (Volatility), API monitoring (Sysmon), and behavioral analysis to identify malicious code artifacts and suspicious process activities in a deep defense context.

This guide details how to detect advanced process injection techniques (T1055) by analyzing rich Sysmon telemetry. It focuses on identifying cross-process memory operations, such as remote thread creation (Event 8), suspicious process access (Event 10), and memory divergence (ProcessTampering/Event 25), which are hallmarks of DLL injection and process hollowing. Ideal for threat hunters and security analysts investigating sophisticated defense evasion.

This tool leverages the Rekall memory forensics framework to conduct deep analysis of memory dumps. It is designed to detect sophisticated threats such as process hollowing, injected code via VAD anomalies, hidden operating system processes, and rootkit presence. It applies key forensic plugins (pslist, malfind, vadinfo) essential for rigorous incident response and malware analysis.

A comprehensive guide for digital forensics professionals on analyzing volatile memory dumps using Volatility 3. Learn to extract critical evidence, including running processes, network connections, loaded DLLs, system credentials, and detecting advanced threats like process hollowing and rootkits. Essential for incident response and malware analysis.

A comprehensive playbook detailing advanced techniques for bypassing modern Endpoint Detection and Response (EDR) and Antivirus (AV) solutions on Windows. Covers exploiting vulnerabilities in AMSI, ETW, and implementing sophisticated process injection methods (e.g., Process Hollowing, Early Bird) to execute payloads while maintaining stealth.