NuClide Research
Most recent
navigate open esc close Corpus index built 2026-06-07 23:58 UTC

← Toolchain

Instrument

VisorHollow

Bill Rondell, Nick Adams & Dade Murphy — instrument — 1 min read — 36 words
Phase
instrument
Language
Go

Process-injection detection benchmark with Sysmon validation

§ Workflow phase

  1. 01 hunt
  2. 02 analyze
  3. 03 enrich
  4. 04 report
  5. 05 instrument

Instrumentation. The lab's own infrastructure.

VisorHollow is a process-injection detection benchmark, NtMapViewOfSection

  • WriteProcessMemory chains tested against Sysmon configurations with pass / fail per Event ID.

Used to validate whether an org’s Sysmon ruleset actually catches the injection chains it claims to.

§ instrument layer

Same phase