Replies: 3 comments 1 reply
-
|
In any case, the definitions of Old Definitions:
New Definitions:
|
Beta Was this translation helpful? Give feedback.
-
|
Isn't a fifth option to change the type of injection_type to be an external reference that points at T1055 sub techniques? Why re-invent something already well defined and maintained. |
Beta Was this translation helpful? Give feedback.
-
|
I believe this one is being discussed in some of the subsequent discussions more specific to 'injection_type_id'. |
Beta Was this translation helpful? Give feedback.
-
|
Putting this one to bed, as we addressed the main issue of |
Beta Was this translation helpful? Give feedback.
-
Currently, System Activity > Process Activity events have an
Injectactivity for injection events.The Mitre Process Injection Technique defines Process Injection as
> "a method of executing arbitrary code in the address space of a separate live process."
It was expressed that there is a need to accurately map properties of an injection - namely the
Injection Path.Currently, the Process Activity Class has two injection attributes:
injection_typeandinjection_type_id, but no discreet attribute forInjection Path:Three approaches which came up in partner discussions are:
actor_processinjectsmoduleinto thetarget processinjection_pathattribute to the Process Activity class (would mean one structural change - an addition)injectionobject with.path,.type, and.type_idattributes (would mean multiple structural changes, creating a new object and moving attributes into it)actor_processinjectsmoduleinto thetarget process. In Addition, update the definition ofprocessto "The process that was launched, injected into, opened, or terminated."5 votes ·
Beta Was this translation helpful? Give feedback.
All reactions