removed unsupported rule from oscd branch
This commit is contained in:
Mikhail Larin
@@ -1,35 +0,0 @@
|
||||
title: Defense evasion via process reimaging
|
||||
description: Detects process reimaging defense evasion technique, where
|
||||
# ImageFileName != OriginalFileName
|
||||
# ProcessGuid = ParentProcessGuid
|
||||
# Image = TargetFileName
|
||||
# Image = ^.+\\<ImageFileName>$
|
||||
references:
|
||||
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
author: Alexey Balandin, oscd community
|
||||
status: experimental
|
||||
date: 2019/10/25
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
detection:
|
||||
condition: all of them
|
||||
# Create Process Sysmon Event
|
||||
selection1:
|
||||
EventID: 1
|
||||
# Create File Sysmon Event
|
||||
selection2:
|
||||
EventID: 11
|
||||
fields:
|
||||
- Image
|
||||
- OriginalFileName
|
||||
- ProcessGuid
|
||||
- ParentProcessGuid
|
||||
- TargetFileName
|
||||
new_fields:
|
||||
- ImageFileName
|
||||
falsepositives:
|
||||
- unknown
|
||||
level: high
|
||||
Reference in New Issue
Block a user