Process Execution sans Command Lines

Nov 9, 2022 · attack.privilege_escalation attack.t1055 ·

Looks for process execution with no command line arguments, which may indicate process injection. Inspired by the 2022 Red Canary Threat Detection report.

Sigma rule (View on GitHub)

 1title: Process Execution sans Command Lines
 2id: e0a2f82f-d11d-4ea7-af7e-a8f760b07c04
 3status: experimental
 4description: Looks for process execution with no command line arguments, which may
 5    indicate process injection. Inspired by the 2022 Red Canary Threat Detection report.
 6references:
 7    - https://redcanary.com/threat-detection-report/techniques/process-injection/
 8author: Micah Babinski
 9date: 2022/11/03
10tags:
11    - attack.privilege_escalation
12    - attack.t1055
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith:
19            - '\backgroundtaskhost.exe'
20            - '\svchost.exe'
21            - '\dllhost.exe'
22            - '\werfault.exe'
23            - '\searchprotocolhost.exe'
24            - '\wuauclt.exe'
25            - '\spoolsv.exe'
26            - '\rundll32.exe'
27            - '\regasm.exe'
28            - '\regsvr32.exe'
29            - '\regsvcs.exe'
30        # looks for command line values ending with exe or exe" and no other characters following
31        CommandLine|re: '^.*\.exe(\s|")*$'
32    condition: selection
33falsepositives:
34    - Unknown
35level: high```

References

Process Injection - Red Canary Threat Detection Report

Process Injection enables adversaries to execute potentially suspicious processes in the context of seemingly benign ones.

Read More

Related rules

PowerShell Injecting into Other Process

Process Execution sans Command Lines

Sigma rule (View on GitHub)

References

Process Injection - Red Canary Threat Detection Report

Related rules