FalconFriday — Process Injection revisited — 0xFF0F


FalconFriday — Process Injection revisited — 0xFF0F

In this edition of FalconFriday, we are going to revisit process injection techniques. We’ve covered process injection in a previous blog post; this one is an extension to cover other process injection techniques.

TL;DR for blue teams: The two rules in this blog provide you with (indicators of) process injection techniques that are not natively detected by Defender for Endpoint.

TL;DR for red teams: We’re trying to push you to start using more obscure process injection techniques. Injections with QueueUserApcand explicitly allocating memory in remote processes are being detected by these two rules.

Cross post from medium.com, please read the full article here:


Direct link to our Github page: