Process Execution sans Command Lines

calendar Nov 9, 2022 · attack.privilege_escalation attack.t1055  ·
Share on: linkedin copy

Looks for process execution with no command line arguments, which may indicate process injection. Inspired by the 2022 Red Canary Threat Detection report.

Sigma rule (View on GitHub)

 1title: Process Execution sans Command Lines
 2id: e0a2f82f-d11d-4ea7-af7e-a8f760b07c04
 3status: experimental
 4description: Looks for process execution with no command line arguments, which may
 5    indicate process injection. Inspired by the 2022 Red Canary Threat Detection report.
 6references:
 7    - https://redcanary.com/threat-detection-report/techniques/process-injection/
 8author: Micah Babinski
 9date: 2022/11/03
10tags:
11    - attack.privilege_escalation
12    - attack.t1055
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith:
19            - '\backgroundtaskhost.exe'
20            - '\svchost.exe'
21            - '\dllhost.exe'
22            - '\werfault.exe'
23            - '\searchprotocolhost.exe'
24            - '\wuauclt.exe'
25            - '\spoolsv.exe'
26            - '\rundll32.exe'
27            - '\regasm.exe'
28            - '\regsvr32.exe'
29            - '\regsvcs.exe'
30        # looks for command line values ending with exe or exe" and no other characters following
31        CommandLine|re: '^.*\.exe(\s|")*$'
32    condition: selection
33falsepositives:
34    - Unknown
35level: high```

References

Related rules

to-top