Name: Hunting For Process Injection Techniques
Author: micsapp

Overview

Process injection (MITRE ATT&CK T1055) allows adversaries to execute code in the address space of another process, enabling defense evasion and privilege escalation. This skill detects injection techniques via Sysmon Event ID 8 (CreateRemoteThread), Event ID 10 (ProcessAccess with suspicious access rights), and analysis of source-target process relationships to distinguish legitimate from malicious injection.

When to Use

When investigating security incidents that require hunting for process injection techniques
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Sysmon installed with Event IDs 8 and 10 enabled
Process creation logs (Sysmon Event ID 1 or Windows 4688)
Python 3.8+ with standard library
JSON-formatted Sysmon event logs

Steps

Overview

When to Use

When investigating security incidents that require hunting for process injection techniques
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Sysmon installed with Event IDs 8 and 10 enabled
Process creation logs (Sysmon Event ID 1 or Windows 4688)
Python 3.8+ with standard library
JSON-formatted Sysmon event logs

Hunting For Process Injection Techniques

Overview

When to Use

Prerequisites

Steps

Hunting For Process Injection Techniques

Overview

When to Use

Prerequisites

Steps

Expected Output

Pytorch Patterns

Regex Vs Llm Structured Text

Effect

Flags

WPF to WinUI 3 Migration Skill

At Dispatch V2