security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0889a1fc3b1a950fab00a5334f1fef3cd8ba0cb2
blue-team-tools/rules/windows/process_creation/process_creation_susp_image_missing.yml
T

31 lines
866 B
YAML
Raw Normal View History

feat: Add rules to detect uncommon process creation events
2021-12-09 14:08:29 +01:00
title: Execution Of Not Existing File
id: 71158e3f-df67-472b-930e-7d287acaa3e1
status: experimental
description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
author: Max Altgelt
date: 2021/12/09
chore: update modified date
2022-01-25 11:46:16 +01:00
modified: 2022/01/25
feat: Add rules to detect uncommon process creation events
2021-12-09 14:08:29 +01:00
references:
- https://pentestlaboratories.com/2021/12/08/process-ghosting/
tags:
- attack.defense_evasion
logsource:
category: process_creation
product: windows
detection:
image_absolute_path:
Image|contains: '\'
fix: Add filter for empty image to rule
2022-01-25 11:43:13 +01:00
filter_null:
feat: Add rules to detect uncommon process creation events
2021-12-09 14:08:29 +01:00
Image: null
fix: Add filter for empty image to rule
2022-01-25 11:43:13 +01:00
filter_empty:
Image:
- '-'
- ''
fix: FPs with 4688 events that can contain 'Registry'
2021-12-27 11:48:51 +01:00
filter_4688:
- Image: 'Registry'
- CommandLine: 'Registry'
condition: not image_absolute_path and not 1 of filter*
feat: Add rules to detect uncommon process creation events
2021-12-09 14:08:29 +01:00
falsepositives:
- unknown
set level to high
2021-12-09 16:03:06 +01:00
level: high
Reference in New Issue Copy Permalink