Process Executing Sans Command Line (RedCanary Threat Detection Report)

Detects processes running without command lines, which can indicate process injection. Part of the RedCanary 2023 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Process Executing Sans Command Line (RedCanary Threat Detection Report)
 2id: fbc13e37-c601-4935-aa4f-3eaaa9976003
 3status: experimental
 4description: |
 5    Detects processes running without command lines, which can indicate process injection. 
 6    Part of the RedCanary 2023 Threat Detection Report.    
 7references:
 8    - https://redcanary.com/threat-detection-report/techniques/process-injection/
 9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2023/05/10
11tags:
12    - attack.privilege_escalation
13    - attack.t1055
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        Image|endswith:
20            - '\backgroundtaskhost.exe'
21            - '\svchost.exe'
22            - '\dllhost.exe'
23            - '\werfault.exe'
24            - '\searchprotocolhost.exe'
25            - '\wuauclt.exe'
26            - '\spoolsv.exe'
27            - '\rundll32.exe'
28            - '\regasm.exe'
29            - '\regsvcs.exe'
30    selection_cmd_1:
31        CommandLine|re: '^(backgroundtaskhost|svchost|dllhost|werfault|searchprotocolhost|wuauclt|spoolsv|rundll32|regasm|regsvcs)(\.exe){0,}(\s|")*$'
32    selection_cmd_2:
33        CommandLine:
34            - null
35            - ''
36    condition: selection_img and 1 of selection_cmd_*
37falsepositives:
38    - Unknown
39level: low```

References

Related rules

to-top