Closed frack113 closed 1 month ago
Add rules to try to detect the process injection methods available on atomic red team
new: Uncommon Process Access Rights For Target Image
SourceProcessGUID: {095b1fc8-7c26-6648-f105-000000002a00} SourceProcessId: 9588 SourceThreadId: 4112 SourceImage: C:\AtomicRedTeam\atomics\T1055.011\bin\T1055.011_x64.exe TargetProcessGUID: {095b1fc8-6415-6648-a600-000000002a00} TargetProcessId: 4644 TargetImage: C:\WINDOWS\Explorer.EXE GrantedAccess: 0x1FFFFF CallTrace: C:\WINDOWS\SYSTEM32\ntdll.dll+9fe14|C:\WINDOWS\System32\KERNELBASE.dll+2c8ce|C:\AtomicRedTeam\atomics\T1055.011\bin\T1055.011_x64.exe+1056|C:\AtomicRedTeam\atomics\T1055.011\bin\T1055.011_x64.exe+12db|C:\AtomicRedTeam\atomics\T1055.011\bin\T1055.011_x64.exe+1628|C:\WINDOWS\System32\KERNEL32.DLL+1257d|C:\WINDOWS\SYSTEM32\ntdll.dll+5aa48 SourceUser: LAB\admin TargetUser: LAB\frack113
Summary of the Pull Request
Add rules to try to detect the process injection methods available on atomic red team
Changelog
new: Uncommon Process Access Rights For Target Image
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions