Uncommon Target Image For Process Access - PROCESS_ALL_ACCESS

Summary of the Pull Request

Add rules to try to detect the process injection methods available on atomic red team

Changelog

new: Uncommon Process Access Rights For Target Image

Example Log Event

SourceProcessGUID: {095b1fc8-7c26-6648-f105-000000002a00}
SourceProcessId: 9588
SourceThreadId: 4112
SourceImage: C:\AtomicRedTeam\atomics\T1055.011\bin\T1055.011_x64.exe
TargetProcessGUID: {095b1fc8-6415-6648-a600-000000002a00}
TargetProcessId: 4644
TargetImage: C:\WINDOWS\Explorer.EXE
GrantedAccess: 0x1FFFFF
CallTrace: C:\WINDOWS\SYSTEM32\ntdll.dll+9fe14|C:\WINDOWS\System32\KERNELBASE.dll+2c8ce|C:\AtomicRedTeam\atomics\T1055.011\bin\T1055.011_x64.exe+1056|C:\AtomicRedTeam\atomics\T1055.011\bin\T1055.011_x64.exe+12db|C:\AtomicRedTeam\atomics\T1055.011\bin\T1055.011_x64.exe+1628|C:\WINDOWS\System32\KERNEL32.DLL+1257d|C:\WINDOWS\SYSTEM32\ntdll.dll+5aa48
SourceUser: LAB\admin
TargetUser: LAB\frack113

Fixed Issues

SigmaHQ Rule Creation Conventions

If your PR adds new rules, please consider following and applying these conventions

SigmaHQ / sigma

Uncommon Target Image For Process Access - PROCESS_ALL_ACCESS #4862

Summary of the Pull Request

Changelog

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions