Skip to content

Commit f0f1c1f

Browse files
heyibrahimkhanheyibrahimkhan
committed
Process hollowing txt file name updated.
1 parent 61cc1da commit f0f1c1f

File tree

1 file changed

+65
-0
lines changed

1 file changed

+65
-0
lines changed

detections/T1093_Process_Hollowing.txt

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
// Name: Process Hollowing
2+
// Description: Checks for execution of MITRE ATT&CK T1093
3+
//
4+
// Severity: High
5+
//
6+
// QueryFrequency: 1h
7+
//
8+
// QueryPeriod: 1h
9+
//
10+
// AlertTriggerThreshold: 1
11+
//
12+
// DataSource: #Sysmon
13+
//
14+
// Tactics: #Defense Evasion
15+
//
16+
Sysmon
17+
| where EventID == 1 and (
18+
(
19+
process_path contains "smss.exe" and
20+
process_parent_command_line !contains "smss.exe"
21+
) or (
22+
process_path contains "csrss.exe" and (
23+
process_parent_command_line !contains "smss.exe" and
24+
process_parent_command_line !contains "svchost.exe"
25+
)
26+
) or (
27+
process_path contains "wininit.exe"and
28+
process_parent_command_line !contains "smss.exe"
29+
) or (
30+
process_path contains "winlogon.exe" and
31+
process_parent_command_line !contains "smss.exe"
32+
) or (
33+
process_path contains "lsass.exe" and
34+
process_parent_command_line !contains "wininit.exe"
35+
) or (
36+
process_path contains "LogonUI.exe" and (
37+
process_parent_command_line !contains "winlogon.exe" and
38+
process_parent_command_line !contains "wininit.exe"
39+
)
40+
) or (
41+
process_path contains "services.exe" and
42+
process_parent_command_line !contains "wininit.exe"
43+
) or (
44+
process_path contains "spoolsv.exe" and
45+
process_parent_command_line !contains "services.exe"
46+
) or (
47+
process_path contains "taskhost.exe" and (
48+
process_parent_command_line !contains "services.exe" and
49+
process_parent_command_line !contains "svchost.exe"
50+
)
51+
) or (
52+
process_path contains "taskhostw.exe" and (
53+
process_parent_command_line !contains "services.exe" and
54+
process_parent_command_line !contains "svchost.exe"
55+
)
56+
) or (
57+
process_path contains "userinit.exe" and (
58+
process_parent_command_line !contains "dwm.exe" or
59+
process_parent_command_line !contains "winlogon.exe"
60+
)
61+
)
62+
)
63+
| extend AccountCustomEntity = UserName
64+
| extend HostCustomEntity = Computer
65+
| extend FileHashCustomEntity = hash_sha256

0 commit comments

Comments
 (0)