Uncommon Process Access Rights For Target Image
Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
Sigma rule (View on GitHub)
1title: Uncommon Process Access Rights For Target Image
2id: a24e5861-c6ca-4fde-a93c-ba9256feddf0
3status: experimental
4description: |
5 Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
6references:
7 - https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
8author: Nasreddine Bencherchali (Nextron Systems), frack113
9date: 2024/05/27
10tags:
11 - attack.defense_evasion
12 - attack.privilege_escalation
13 - attack.t1055.011
14logsource:
15 category: process_access
16 product: windows
17detection:
18 selection:
19 TargetImage|endswith:
20 # Note: Add additional uncommon targets to increase coverage.
21 - '\calc.exe'
22 - '\calculator.exe'
23 - '\mspaint.exe'
24 - '\notepad.exe'
25 - '\ping.exe'
26 - '\wordpad.exe'
27 - '\write.exe'
28 GrantedAccess: '0x1FFFFF' # PROCESS_ALL_ACCESS - All possible access rights for a process object.
29 condition: selection
30falsepositives:
31 - Unknown
32# Note: please upgrade to a higher level after an initial test/tuning.
33level: low
References
Related rules
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
- Potentially Suspicious Child Process of KeyScrambler.exe
- UAC Disabled
- UAC Notification Disabled