Process Injection - Detected - Elastic Endgame

calendarApr 3, 2023  ·
Share on: linkedincopy

Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/02/18"
 3maturity = "production"
 4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 5min_stack_version = "8.3.0"
 6updated_date = "2023/03/31"
 7promotion = true
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in
13the rule.reference column for additional information.
14"""
15from = "now-15m"
16index = ["endgame-*"]
17interval = "10m"
18language = "kuery"
19license = "Elastic License v2"
20max_signals = 10000
21name = "Process Injection - Detected - Elastic Endgame"
22risk_score = 73
23rule_id = "80c52164-c82a-402c-9964-852533d58be1"
24severity = "high"
25tags = ["Elastic", "Elastic Endgame", "Threat Detection", "Privilege Escalation"]
26type = "query"
27
28query = '''
29event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)
30'''
31
32[[rule.threat]]
33framework = "MITRE ATT&CK"
34[[rule.threat.technique]]
35id = "T1055"
36name = "Process Injection"
37reference = "https://attack.mitre.org/techniques/T1055/"
38
39[rule.threat.tactic]
40id = "TA0004"
41name = "Privilege Escalation"
42reference = "https://attack.mitre.org/tactics/TA0004/"```

to-top