Process Injection - Prevented - Elastic Endgame

Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/02/18"
 3maturity = "production"
 4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 5min_stack_version = "8.3.0"
 6updated_date = "2023/03/31"
 7promotion = true
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link
13in the rule.reference column for additional information.
14"""
15from = "now-15m"
16index = ["endgame-*"]
17interval = "10m"
18language = "kuery"
19license = "Elastic License v2"
20max_signals = 10000
21name = "Process Injection - Prevented - Elastic Endgame"
22risk_score = 47
23rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e"
24severity = "medium"
25tags = ["Elastic", "Elastic Endgame", "Threat Detection", "Privilege Escalation"]
26type = "query"
27
28query = '''
29event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)
30'''
31
32[[rule.threat]]
33framework = "MITRE ATT&CK"
34[[rule.threat.technique]]
35id = "T1055"
36name = "Process Injection"
37reference = "https://attack.mitre.org/techniques/T1055/"
38
39[rule.threat.tactic]
40id = "TA0004"
41name = "Privilege Escalation"
42reference = "https://attack.mitre.org/tactics/TA0004/"

to-top