security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eb22807ddc4e4e766380c78bdbcfc7079dd32d49
blue-team-tools/rules/windows/process_creation/process_creation_susp_image_missing.yml
T
Florian Roth 7a8f09a6b5 fix: FPs with 4688 events that can contain 'Registry'
2021-12-27 11:48:51 +01:00

27 lines
793 B
YAML
Raw Blame History

title: Execution Of Not Existing File
id: 71158e3f-df67-472b-930e-7d287acaa3e1
status: experimental
description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
author: Max Altgelt
date: 2021/12/09
modified: 2021/12/27
references:
- https://pentestlaboratories.com/2021/12/08/process-ghosting/
tags:
- attack.defense_evasion
logsource:
category: process_creation
product: windows
detection:
image_absolute_path:
Image|contains: '\'
filter:
Image: null
filter_4688:
- Image: 'Registry'
- CommandLine: 'Registry'
condition: not image_absolute_path and not 1 of filter*
falsepositives:
- unknown
level: high
Reference in New Issue View Git Blame Copy Permalink