Blue Team — detectar self-injection
Perspectiva
Esta entrada es la contracara de los writeups de red team. Mismo ataque, vista defensora.
Lorem ipsum dolor sit amet. La self-injection con VirtualAlloc + VirtualProtect + CreateThread es detectable con telemetría mínima.
Telemetría útil
| Fuente | Evento | Query ejemplo |
|---|---|---|
| Sysmon EID 1 | CreateRemoteThread | Image != "csrss.exe" AND SourceImage != TargetImage |
| ETW | kernel VirtualAlloc RWX | EventID=25 AND Protection=0x40 |
| Sysmon EID 10 | ProcessAccess | GrantedAccess=0x1F0FFF |
| EDR | API hooks | ntdll!NtCreateThreadEx called from non-ntdll |
Regla Sigma
title: Self-injection via VirtualProtect RX flip
logsource:
product: windows
category: process_access
detection:
selection:
EventID: 10
GrantedAccess:
- '0x1F0FFF'
- '0x1F03FF'
filter:
SourceImage|endswith:
- '\csrss.exe'
- '\lsass.exe'
- '\svchost.exe'
condition: selection and not filter
level: highHardening
Mitigaciones reales
- Block loaded modules from RWX (ProcessMitigation)
- Arbitrary code guard (ACG)
- CFG (Control Flow Guard) para proteger indirect calls
flowchart LR
A[alloc RW] --> B[write shellcode]
B --> C[protect RX]
C --> D[create thread]
D --> E[detect]
style E fill:#ff3860,color:#fffLorem ipsum dolor sit amet. Si tu EDR ve la cadena A→B→C→D en menos de 50ms con source = target, es self-injection casi seguro.