Defense evasion via process reimaging
Detects process reimaging defense evasion technique
Sigma rule (View on GitHub)
1action: global
2title: Defense evasion via process reimaging
3id: 7fa4f550-850e-4117-b543-428c86ebb849
4description: Detects process reimaging defense evasion technique
5# where
6# selection1: ImageFileName != selection1: OriginalFileName
7# selection1: ParentProcessGuid = selection2: ProcessGuid
8# selection1: Image = selection2: TargetFilename
9# and new field ImageFileName is coming from enrichment
10# selection1: Image = ^.+\\<ImageFileName>$
11# Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec.
12# Rule logic is currently not supported by SIGMA.
13# Sysmon v.10.0 or newer is required for proper detection.
14status: unsupported
15author: Alexey Balandin, oscd.community
16references:
17 - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/
18tags:
19 - attack.defense_evasion
20date: 2019/10/25
21modified: 2021/12/02
22detection:
23 condition: all of selection*
24falsepositives:
25 - Unknown
26level: high
27---
28logsource:
29 product: windows
30 service: sysmon
31detection:
32 selection1:
33 category: process_creation
34fields:
35 - Image
36 - OriginalFileName
37 - ParentProcessGuid
38new_fields:
39 - ImageFileName
40---
41logsource:
42 product: windows
43 service: sysmon
44detection:
45 selection2:
46 EventID: 11
47fields:
48 - ProcessGuid
49 - TargetFilename
References
-
Welcome to the McAfee Blog, where we share posts about security solutions and products to keep you and your connected family safe online.
Read More
Related rules
- AWS Macie Evasion
- Execution via CL_Invocation.ps1 (2 Lines)
- Execution via CL_Mutexverifiers.ps1 (2 Lines)
- File Creation by Office Applications
- Files Dropped to Program Files by Non-Priviledged Process