Detects process injection techniques (MITRE T1055) via Sysmon events ID 8/10 and EDR telemetry, including CreateRemoteThread, process hollowing, and DLL injection for threat hunting.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
进程注入(MITRE ATT&CK T1055)允许攻击者在另一进程的地址空间中执行代码,从而实现防御规避和权限提升。本技能通过 Sysmon 事件 ID 8(CreateRemoteThread)、事件 ID 10(具有可疑访问权限的 ProcessAccess)以及分析源进程与目标进程关系来区分合法注入与恶意注入,从而检测注入技术。
Detects process injection (T1055) via Sysmon Event IDs 8/10 including CreateRemoteThread, DLL injection; builds graphs and reports for threat hunting.
Detects process injection techniques (T1055) like CreateRemoteThread, process hollowing, and DLL injection using Sysmon Event IDs 8/10 and EDR telemetry. For threat hunting in security incidents.
Detects process injection (MITRE T1055) via Sysmon events 7,8,10,25 for DLL injection, process hollowing, APC, and more. Includes Splunk queries for threat hunting suspicious cross-process activity.
Share bugs, ideas, or general feedback.
进程注入(MITRE ATT&CK T1055)允许攻击者在另一进程的地址空间中执行代码,从而实现防御规避和权限提升。本技能通过 Sysmon 事件 ID 8(CreateRemoteThread)、事件 ID 10(具有可疑访问权限的 ProcessAccess)以及分析源进程与目标进程关系来区分合法注入与恶意注入,从而检测注入技术。