LetsDefend Academy

Online practicing and training platform for blue team members









Process Injection Detection with Sysmon

In this article, we will explain what the process injection technique is and how it can be detected with Sysmon.

What is Process Injection?

To put it simply, a process running code in the address space of another process is called process injection. Attackers and malware often make use of the "Process Injection" technique. Thanks to this technique, they can increase the success rate of the attack by preventing detection.

Before explaining how we can detect the Process Injection technique, let's talk about the methods by which this technique can be performed.

There are many methods for process injection. Frequently used among these are as follows.

  1. DLL Injection
  2. P.E. Injection
  3. Process Hollowing
  4. Hook Injection
  5. AppInit_DLLs

If you want to exercise after this article, you can use our blue team lab for free.

Sysmon

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. 

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Sysmon is to record many different events. With the EventID:8 of Sysmon, we can detect the Process Injection technique.

Example

Let's examine how we can detect Process Injection technique with Sysmon Events.

We can use InjectProc to simulate the Process Injection technique. InjectProc is an open source project created to simulate Process Injection technique. There is also a dll file created for you to test in the project.

You can download InjectProc's executable file from here. Let's inject a DLL into the "winrar.exe" process with the command below.

InjectProc.exe dll_inj malicious.dll winrar.exe

When we successfully injected the dll, the message box appears as in the image above, indicating that the injection was successful.

Now let's detect Process Injection with Sysmon that we simulate. We can see Sysmon Events with the "Event Viewer" tool. Sysmon logs are located in the directory below.

"Applications and Services Logs/Microsoft/Windows/Sysmon/Operational"

When we look at the events number 8, it is seen that Process Injection has been caught.

You can detect the Process Injection technique by following this event in your SIEM products.