Read on Twitter
What are some of your favorite methods or articles for detecting process injection techniques??
I’ll start with this bad boy because it’s a great writeup: https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
Here’s another great article with some volatility tips: https://medium.com/@ozan.unal/process-injection-techniques-bc6396929740
Great article by @carrier4n6 on triaging process memory https://www.cybertriage.com/2019/how-to-detect-running-malware-intro-to-incident-response-triage-part-7/
Taking a look at detecting process hollowing specifically: https://posts.specterops.io/engineering-process-injection-detections-part-1-research-951e96ad3c85
Windows ATP monitors some API calls to detect process hollowing and atom bombing, solid read: https://www.microsoft.com/security/blog/2017/07/12/detecting-stealthier-cross-process-injection-techniques-with-windows-defender-atp-process-hollowing-and-atom-bombing/
For real though, some of my favorite tools are @hasherezade ’s pe-sieve and hollowhunter https://hshrzd.wordpress.com/pe-sieve/
Also, I will never stop promoting the excellent work of BlueSpawn which leverages pe-sieve for triaging process memory: https://github.com/ION28/BLUESPAWN
Tons of amazing process injection details on this blog, an epic technical reference for shellcode techniques: https://modexp.wordpress.com
I would be remiss not to mention Donut, an epic shellcode gen tool that implements a number of injection techniques, including CLR injection for .NET assemblies, vbscript/jscript injection, and even its own PE / DLL loader https://github.com/TheWover/donut/
Another solid series, multiple deep dives on different process injection techniques: https://www.ired.team/offensive-security/code-injection-process-injection
