2019-11-19 01:17:07 +00:00
|
|
|
action: global
|
|
|
|
|
title: Defense evasion via process reimaging
|
2019-12-19 22:56:36 +00:00
|
|
|
id: 7fa4f550-850e-4117-b543-428c86ebb849
|
2019-11-19 01:17:07 +00:00
|
|
|
description: Detects process reimaging defense evasion technique
|
|
|
|
|
# where
|
|
|
|
|
# selection1: ImageFileName != selection1: OriginalFileName
|
|
|
|
|
# selection1: ParentProcessGuid = selection2: ProcessGuid
|
|
|
|
|
# selection1: Image = selection2: TargetFileName
|
|
|
|
|
# and new field ImageFileName is coming from enrichment
|
|
|
|
|
# selection1: Image = ^.+\\<ImageFileName>$
|
|
|
|
|
# Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec.
|
|
|
|
|
# Rule logic is currently not supported by SIGMA.
|
|
|
|
|
# Sysmon v.10.0 or newer is required for proper detection.
|
|
|
|
|
status: experimental
|
|
|
|
|
author: Alexey Balandin, oscd.community
|
|
|
|
|
references:
|
|
|
|
|
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/
|
|
|
|
|
tags:
|
|
|
|
|
- attack.defense_evasion
|
|
|
|
|
date: 2019/10/25
|
|
|
|
|
detection:
|
|
|
|
|
condition: all of them
|
|
|
|
|
falsepositives:
|
|
|
|
|
- unknown
|
|
|
|
|
level: high
|
|
|
|
|
---
|
|
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
service: sysmon
|
|
|
|
|
detection:
|
|
|
|
|
selection1:
|
|
|
|
|
category: process_creation
|
|
|
|
|
fields:
|
|
|
|
|
- Image
|
|
|
|
|
- OriginalFileName
|
|
|
|
|
- ParentProcessGuid
|
|
|
|
|
new_fields:
|
|
|
|
|
- ImageFileName
|
|
|
|
|
---
|
|
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
service: sysmon
|
|
|
|
|
detection:
|
|
|
|
|
selection2:
|
|
|
|
|
EventID: 11
|
|
|
|
|
fields:
|
|
|
|
|
- ProcessGuid
|
|
|
|
|
- TargetFileName
|
