detection.wiki

Detection rules › Sigma

Uncommon Process Access Rights For Target Image

Severity
low
Author
Nasreddine Bencherchali (Nextron Systems), frack113
Source
upstream

Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1055.011 Process Injection: Extra Window Memory Injection
Defense EvasionT1055.011 Process Injection: Extra Window Memory Injection

Event coverage

ProviderEvent IDTitle
Sysmon10ProcessAccess

Stages and Predicates

Stage 1: selection

or:
TargetImage|endswith: '\calc.exe'
TargetImage|endswith: '\calculator.exe'
TargetImage|endswith: '\mspaint.exe'
TargetImage|endswith: '\notepad.exe'
TargetImage|endswith: '\ping.exe'
TargetImage|endswith: '\wordpad.exe'
TargetImage|endswith: '\write.exe'
GrantedAccess: 0x1FFFFF

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
GrantedAccesseq
  • 0x1FFFFF corpus 3 (sigma 3)
TargetImageends_with
  • \calc.exe corpus 2 (sigma 2)
  • \calculator.exe corpus 2 (sigma 2)
  • \mspaint.exe corpus 2 (sigma 2)
  • \notepad.exe corpus 2 (sigma 2)
  • \ping.exe corpus 2 (sigma 2)
  • \wordpad.exe corpus 2 (sigma 2)
  • \write.exe corpus 2 (sigma 2)