Process Launched Without Image Name
Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
Sigma rule (View on GitHub)
1title: Process Launched Without Image Name
2id: f208d6d8-d83a-4c2c-960d-877c37da84e5
3status: experimental
4description: Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
5references:
6 - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
7author: Matt Anderson (Huntress)
8date: 2024-07-23
9tags:
10 - attack.defense-evasion
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection:
16 Image|endswith: '\.exe'
17 condition: selection
18falsepositives:
19 - Rare legitimate software.
20level: medium
References
-
Huntress has observed new behaviors in conjunction with the malware SocGholish. Read on to understand the implications of this threat and how you can better protect yourself.
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity