Thomas, RodneySteiner, StuartConte De Leon, Daniel2021-12-242021-12-242022-01-04978-0-9981331-5-7http://hdl.handle.net/10125/80247Advanced Persistent Threat (APT) actors are increasingly utilizing Living-off-the-Land (LotL) cyber attack techniques to avoid detection. LotL are techniques that abuse legitimate functionality to perform malicious cyber activities. A common LotL attack technique, that is currently very difficult to detect and prevent, is malicious process injection, MITRE ATT\&CK Process Injection ID: T1055. We report on the initial results for HESPIDS: A Hierarchical and Extensible System for Process Injection Detection using Sysmon. We developed a hierarchical graph-based detection approach for accurate and automated detection for five process injection techniques in Windows clients. These techniques include four of 11 T1055 sub-techniques: DLL Injection, PE Injection, APC Injection, Process Hollowing, and a T1056 sub-technique: API Hooking (T1056.004). Our novel detection approach exhibits, within the limitations of our small testing environment, very high sensitivity and specificity. HESPIDS demonstrates a promising avenue for development of automated detection of advanced cybersecurity threats.10 pagesengAttribution-NonCommercial-NoDerivatives 4.0 InternationalCyber Operations, Defence, and Forensicsadvanced persistant threatsliving off the landprocess injectiontext10.24251/HICSS.2022.905