detecting-process-injection-techniques

# Detecting Process Injection Techniques ## When to Use - EDR alerts on suspicious API call sequences (VirtualAllocEx + WriteProcessMemory + CreateRemoteThread) - A legitimate process (explorer.exe, svchost.exe) exhibits unexpected network connections or file operations - Memory forensics reveals executable code in memory regions that should not contain it - Investigating living-off-the-land attacks where malware hides inside trusted processes - Building detection logic for specific injection techniques in EDR or SIEM rules **Do not use** for standard DLL loading analysis; injection implies unauthorized code placement in a process without that process's cooperation. ## Prerequisites - Volatility 3 for memory forensics analysis of injection artifacts - Sysmon configured with Event IDs 8 (CreateRemoteThread) and 10 (ProcessAccess) - API Monitor or x64dbg for observing injection API calls in real-time - Process Hacker or Process Explorer for inspecting process memory regions - Understanding of Windows memory management (VirtualAlloc, VAD, page protections) - Isolated analysis environment for safe malware execution and monitoring ## Workflow ### Step 1: Identify Injection via Memory Forensics Use Volatility to detect injected code in process memory: ```bash # malfind: Primary injection detection plugin vol3 -f memory.dmp windows.malfind # malfind detects: # - Memory regions with PAGE_EXECUTE_READWRITE (RWX) protection # - PE headers (MZ signature) in non-image VAD entri...