Skill UI

This skill provides comprehensive detection rules for advanced defense evasion techniques used by adversaries, including log tampering (T1070), timestomping, process injection (T1055), and disabling security tools (T1562). It is ideal for threat hunting, building detection rules, and investigating stealthy attacker activity using Sysmon and SIEM data.

A comprehensive guide and methodology for detecting process hollowing (T1055.012). It involves advanced memory forensics, analyzing memory-mapped sections, and correlating parent-child process anomalies using EDR and Sysmon data to identify fileless and in-memory malware threats.

This guide details how to detect advanced process injection techniques (T1055) by analyzing rich Sysmon telemetry. It focuses on identifying cross-process memory operations, such as remote thread creation (Event 8), suspicious process access (Event 10), and memory divergence (ProcessTampering/Event 25), which are hallmarks of DLL injection and process hollowing. Ideal for threat hunters and security analysts investigating sophisticated defense evasion.

This skill provides a structured methodology for detecting process injection techniques (MITRE ATT&CK T1055), which adversaries use for defense evasion and privilege escalation. It analyzes granular security logs, specifically utilizing Sysmon Event IDs 8 (CreateRemoteThread) and 10 (ProcessAccess), alongside source-target process relationship mapping to identify suspicious malicious behavior over general system activity.