sentinel json file updated with new rule logic for process hollowing.

Author: heyibrahimkhan

detections/T1093_Process_Holoowing.txt

@@ -863,7 +863,7 @@
         "description": "Checks for execution of MITRE ATT&CK T1093",
         "severity": "High",
         "enabled": "true",
-        "query": "Sysmon | where EventID == 1 and (process_path contains \"smss.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"csrss.exe\" and (process_parent_command_line !contains \"smss.exe\" or process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"wininit.exe\"and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"winlogon.exe\" and process_parent_command_line !contains \"smss.exe\") or (process_path contains \"lsass.exe\" and process_parent_command_line !contains \"wininit.exe\") or (process_path contains \"LogonUI.exe\" and (process_parent_command_line !contains \"winlogon.exe\" or process_parent_command_line !contains \"wininit.exe\")) or (process_path contains \"services.exe\" and process_parent_command_line !contains \"wininit.exe\") or (process_path contains \"spoolsv.exe\" and process_parent_command_line !contains \"services.exe\") or (process_path contains \"taskhost.exe\" and (process_parent_command_line !contains \"services.exe\" or process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"taskhostw.exe\" and (process_parent_command_line !contains \"services.exe\" or process_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"userinit.exe\" and (process_parent_command_line !contains \"dwm.exe\" or process_parent_command_line !contains \"winlogon.exe\"))",
+        "query": "Sysmon | where EventID == 1 and ((process_path contains \"smss.exe\" andprocess_parent_command_line !contains \"smss.exe\") or (process_path contains \"csrss.exe\" and (process_parent_command_line !contains \"smss.exe\" andprocess_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"wininit.exe\"andprocess_parent_command_line !contains \"smss.exe\") or (process_path contains \"winlogon.exe\" andprocess_parent_command_line !contains \"smss.exe\") or (process_path contains \"lsass.exe\" andprocess_parent_command_line !contains \"wininit.exe\") or (process_path contains \"LogonUI.exe\" and (process_parent_command_line !contains \"winlogon.exe\" andprocess_parent_command_line !contains \"wininit.exe\")) or (process_path contains \"services.exe\" andprocess_parent_command_line !contains \"wininit.exe\") or (process_path contains \"spoolsv.exe\" andprocess_parent_command_line !contains \"services.exe\") or (process_path contains \"taskhost.exe\" and (process_parent_command_line !contains \"services.exe\" andprocess_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"taskhostw.exe\" and (process_parent_command_line !contains \"services.exe\" andprocess_parent_command_line !contains \"svchost.exe\")) or (process_path contains \"userinit.exe\" and (process_parent_command_line !contains \"dwm.exe\" orprocess_parent_command_line !contains \"winlogon.exe\"))) | extend AccountCustomEntity = UserName | extend HostCustomEntity = Computer | extend FileHashCustomEntity = hash_sha256",
         "queryFrequency": "1H",
         "queryPeriod": "1H",
         "triggerOperator": "GreaterThan",