Post-Image

FalconFriday — Process injection and malicious CPL files

We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “FalconFriday”, we will release hunting queries to detect offensive techniques. Today: part four!

Today’s content:

-> Process injection using the CreateRemoteThread API. -> Suspicious CPL files being loaded (https://attack.mitre.org/techniques/T1218/002/).

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-process-injection-and-malicious-cpl-files-0xff03-8ba1ee5da64

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday