Uncommon Process Access Rights For Target Image
Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
Sigma rule (View on GitHub)
1title: Uncommon Process Access Rights For Target Image
2id: a24e5861-c6ca-4fde-a93c-ba9256feddf0
3status: experimental
4description: |
5 Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
6references:
7 - https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
8author: Nasreddine Bencherchali (Nextron Systems), frack113
9date: 2024-05-27
10tags:
11 - attack.defense-evasion
12 - attack.privilege-escalation
13 - attack.t1055.011
14logsource:
15 category: process_access
16 product: windows
17detection:
18 selection:
19 TargetImage|endswith:
20 # Note: Add additional uncommon targets to increase coverage.
21 - '\calc.exe'
22 - '\calculator.exe'
23 - '\mspaint.exe'
24 - '\notepad.exe'
25 - '\ping.exe'
26 - '\wordpad.exe'
27 - '\write.exe'
28 GrantedAccess: '0x1FFFFF' # PROCESS_ALL_ACCESS - All possible access rights for a process object.
29 condition: selection
30falsepositives:
31 - Unknown
32# Note: please upgrade to a higher level after an initial test/tuning.
33level: low
References
-
The Microsoft Windows security model enables you to control access to process objects. For more information about security, see Access-Control Model.
Read More
Related rules
- APT PRIVATELOG Image Load Pattern
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address