detecting-process-injection-techniques
Pass
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides automated and manual commands for system utilities such as
wevtutilto query Windows Event Logs andvol3for deep memory forensics. - [EXTERNAL_DOWNLOADS]: Documents the use of well-known industry libraries like
pefileandcapstone, as well as the Volatility 3 framework, for analyzing binary data and process memory. - [DYNAMIC_EXECUTION]: Includes Python code snippets that use the
subprocessmodule to interact with system tools and perform runtime disassembly of shellcode using standard forensics libraries. - [INDIRECT_PROMPT_INJECTION]: The skill's primary function is to process untrusted data from memory dumps and system events, which represents a potential attack surface.
- Ingestion points: Memory dump files and Sysmon XML logs processed via
wevtutilin SKILL.md. - Boundary markers: None; the agent is instructed to directly parse and analyze external artifacts.
- Capability inventory: Shell command execution via
subprocess, file system read access for memory dumps, and arbitrary Python execution for binary analysis. - Sanitization: No explicit validation or escaping of strings extracted from process memory or log data is performed before printing or processing.
Audit Metadata