detecting-process-injection-techniques
Installation
SKILL.md
Detecting Process Injection Techniques
When to Use
- EDR alerts on suspicious API call sequences (VirtualAllocEx + WriteProcessMemory + CreateRemoteThread)
- A legitimate process (explorer.exe, svchost.exe) exhibits unexpected network connections or file operations
- Memory forensics reveals executable code in memory regions that should not contain it
- Investigating living-off-the-land attacks where malware hides inside trusted processes
- Building detection logic for specific injection techniques in EDR or SIEM rules
Do not use for standard DLL loading analysis; injection implies unauthorized code placement in a process without that process's cooperation.