Execution Of Non-Existing File

calendar Aug 12, 2024 · attack.defense-evasion  ·
Share on: linkedin copy

Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)

Sigma rule (View on GitHub)

 1title: Execution Of Non-Existing File
 2id: 71158e3f-df67-472b-930e-7d287acaa3e1
 3status: test
 4description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
 5references:
 6    - https://pentestlaboratories.com/2021/12/08/process-ghosting/
 7author: Max Altgelt (Nextron Systems)
 8date: 2021-12-09
 9modified: 2022-12-14
10tags:
11    - attack.defense-evasion
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    image_absolute_path:
17        Image|contains: '\'
18    filter_null:
19        Image: null
20    filter_empty:
21        Image:
22            - '-'
23            - ''
24    filter_4688:
25        - Image:
26              - 'System'
27              - 'Registry'
28              - 'MemCompression'
29              - 'vmmem'
30        - CommandLine:
31              - 'Registry'
32              - 'MemCompression'
33              - 'vmmem'
34    condition: not image_absolute_path and not 1 of filter*
35falsepositives:
36    - Unknown
37level: high

References

  • Process Ghosting

    Understanding how endpoint products work to identify malicious actions can lead to the discovery of security gaps which can be used for evasion during red team operations. The technique Process Her…


    Read More

Related rules

to-top