Replies: 3 comments 1 reply
-
|
In any case, the definitions of Old Definitions:
New Definitions:
|
Beta Was this translation helpful? Give feedback.
-
|
Isn't a fifth option to change the type of injection_type to be an external reference that points at T1055 sub techniques? Why re-invent something already well defined and maintained. |
Beta Was this translation helpful? Give feedback.
-
|
I believe this one is being discussed in some of the subsequent discussions more specific to 'injection_type_id'. |
Beta Was this translation helpful? Give feedback.
-
|
Putting this one to bed, as we addressed the main issue of |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Currently, System Activity > Process Activity events have an
Injectactivity for injection events.The Mitre Process Injection Technique defines Process Injection as
> "a method of executing arbitrary code in the address space of a separate live process."
It was expressed that there is a need to accurately map properties of an injection - namely the
Injection Path.Currently, the Process Activity Class has two injection attributes:
injection_typeandinjection_type_id, but no discreet attribute forInjection Path:Three approaches which came up in partner discussions are:
actor_processinjectsmoduleinto thetarget processinjection_pathattribute to the Process Activity class (would mean one structural change - an addition)injectionobject with.path,.type, and.type_idattributes (would mean multiple structural changes, creating a new object and moving attributes into it)actor_processinjectsmoduleinto thetarget process. In Addition, update the definition ofprocessto "The process that was launched, injected into, opened, or terminated."5 votes ·
Beta Was this translation helpful? Give feedback.
All reactions