mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
924e1feb54
* Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing.
49 lines
1.4 KiB
YAML
49 lines
1.4 KiB
YAML
action: global
|
|
title: Defense evasion via process reimaging
|
|
id: 7fa4f550-850e-4117-b543-428c86ebb849
|
|
description: Detects process reimaging defense evasion technique
|
|
# where
|
|
# selection1: ImageFileName != selection1: OriginalFileName
|
|
# selection1: ParentProcessGuid = selection2: ProcessGuid
|
|
# selection1: Image = selection2: TargetFileName
|
|
# and new field ImageFileName is coming from enrichment
|
|
# selection1: Image = ^.+\\<ImageFileName>$
|
|
# Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec.
|
|
# Rule logic is currently not supported by SIGMA.
|
|
# Sysmon v.10.0 or newer is required for proper detection.
|
|
status: experimental
|
|
author: Alexey Balandin, oscd.community
|
|
references:
|
|
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/
|
|
tags:
|
|
- attack.defense_evasion
|
|
date: 2019/10/25
|
|
detection:
|
|
condition: all of them
|
|
falsepositives:
|
|
- unknown
|
|
level: high
|
|
---
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection1:
|
|
category: process_creation
|
|
fields:
|
|
- Image
|
|
- OriginalFileName
|
|
- ParentProcessGuid
|
|
new_fields:
|
|
- ImageFileName
|
|
---
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection2:
|
|
EventID: 11
|
|
fields:
|
|
- ProcessGuid
|
|
- TargetFileName
|