Process Launched Without Image Name
Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
Sigma rule (View on GitHub)
1title: Process Launched Without Image Name
2id: f208d6d8-d83a-4c2c-960d-877c37da84e5
3status: test
4description: Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
5references:
6 - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
7author: Matt Anderson (Huntress)
8date: 2024-07-23
9tags:
10 - attack.defense-evasion
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection:
16 Image|endswith: '\.exe'
17 condition: selection
18falsepositives:
19 - Rare legitimate software.
20level: medium
References
-
Huntress has observed new behaviors in conjunction with the malware SocGholish. Read on to understand the implications of this threat and how you can better protect yourself.
Read More
Related rules
- BitLockerTogo.EXE Execution
- Forest Blizzard APT - File Creation Activity
- Github Secret Scanning Feature Disabled
- PDF File Created By RegEdit.EXE
- Renamed BOINC Client Execution