Uncommon Process Access Rights For Target Image

Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.

Sigma rule (View on GitHub)

 1title: Uncommon Process Access Rights For Target Image
 2id: a24e5861-c6ca-4fde-a93c-ba9256feddf0
 3status: experimental
 4description: |
 5        Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
 6references:
 7    - https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
 8author: Nasreddine Bencherchali (Nextron Systems), frack113
 9date: 2024-05-27
10tags:
11    - attack.defense-evasion
12    - attack.privilege-escalation
13    - attack.t1055.011
14logsource:
15    category: process_access
16    product: windows
17detection:
18    selection:
19        TargetImage|endswith:
20            # Note: Add additional uncommon targets to increase coverage.
21            - '\calc.exe'
22            - '\calculator.exe'
23            - '\mspaint.exe'
24            - '\notepad.exe'
25            - '\ping.exe'
26            - '\wordpad.exe'
27            - '\write.exe'
28        GrantedAccess: '0x1FFFFF' # PROCESS_ALL_ACCESS - All possible access rights for a process object.
29    condition: selection
30falsepositives:
31    - Unknown
32# Note: please upgrade to a higher level after an initial test/tuning.
33level: low

References

Related rules

to-top