Kaspersky Anti Targeted Attack Platform

Information about the "Code injection" event

The window displaying information about Code injection events contains the following details:

  • Tree of events.
  • Actions that can be performed to handle an event.
  • Code injection section:
    • IOA tags—Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.

      Click the link to display information about the TAA (IOA) rule. If the rule was provided by Kaspersky experts, it contains information about the triggered

      as well as recommendations for reacting to the event.

      The field is displayed if a TAA (IOA) rule was triggered when the event was created.

    • File—Path to the target process file.
    • Process ID—Identifier of the target process.
    • Launch parameters—Command line options of the target process.
    • Modified start options—Modified command line options of the target process.

      This field is displayed if the ARG_SPOOFING method was used to inject code.

    • MD5—MD5 hash of the target process file.
    • SHA256—SHA256 hash of the target process file.
    • Access method—Method of access to the target process.

      This field can have the following values: WRITE_EXECUTABLE_MEMORY, SET_WINDOWS_HOOK, QUEUE_APC_THREAD, SET_THREAD_CONTEXT – .MAP_VIEW_OF_SECTION, CREATE_REMOTE_THREAD, ARG_SPOOFING.

    • Address space—Address in the address space of the target process at which the remotely executed code was placed.

      This field is not populated if the code was injected using the SET_WINDOWS_HOOK or ARG_SPOOFING methods.

    • System call parameters—Command line that the target process was started with.
    • DLL name—Name of the DLL that contains the hook procedure and the name of the function to which control is passed after injection.

      This field is filled if the SET_WINDOWS_HOOK method was used to inject code.

    • DLL full path—Path to the DLL containing the hook procedure.

      This field is filled if the SET_WINDOWS_HOOK method was used to inject code.

    • Event time—Time of code injection.
    • Call trace—API call stack at the time of interception of the function related to code injection.
  • Event initiator section:
    • File—Name of the parent process file.
    • MD5—MD5 hash of the parent process file.
    • SHA256—SHA256 hash of the parent process file.
  • System info section:
    • Host name—Name of the host on which the code injection occurred.
    • User name—Name of the user account that was used for the code injection.
    • OS version—Version of the operating system that is being used on the host.