HESPIDS: A Hierarchical and Extensible System for Process Injection Detection using Sysmon

Date
2022-01-04
Authors
Thomas, Rodney
Steiner, Stuart
Conte De Leon, Daniel
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Advanced Persistent Threat (APT) actors are increasingly utilizing Living-off-the-Land (LotL) cyber attack techniques to avoid detection. LotL are techniques that abuse legitimate functionality to perform malicious cyber activities. A common LotL attack technique, that is currently very difficult to detect and prevent, is malicious process injection, MITRE ATT\&CK Process Injection ID: T1055. We report on the initial results for HESPIDS: A Hierarchical and Extensible System for Process Injection Detection using Sysmon. We developed a hierarchical graph-based detection approach for accurate and automated detection for five process injection techniques in Windows clients. These techniques include four of 11 T1055 sub-techniques: DLL Injection, PE Injection, APC Injection, Process Hollowing, and a T1056 sub-technique: API Hooking (T1056.004). Our novel detection approach exhibits, within the limitations of our small testing environment, very high sensitivity and specificity. HESPIDS demonstrates a promising avenue for development of automated detection of advanced cybersecurity threats.
Description
Keywords
Cyber Operations, Defence, and Forensics, advanced persistant threats, living off the land, process injection
Citation
Rights
Access Rights
Email libraryada-l@lists.hawaii.edu if you need this content in ADA-compliant format.