Uncommon Process Access Rights For Target Image

Rule Info

Name
Uncommon Process Access Rights For Target Image
Author
Nasreddine Bencherchali (Nextron Systems), frack113
Description
Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
Reference
https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
Date
2024-05-27 00:00:00
Modified
None
Id
a24e5861-c6ca-4fde-a93c-ba9256feddf0
Tags
attack.defense_evasion attack.privilege_escalation attack.t1055.011 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=a24e5861-c6ca-4fde-a93c-ba9256feddf0

Rule History

Author
Title
Date
Commit
frack113
Merge PR #4862 from @frack113 - Add `Uncommon Process Access Rights For Target Image`
2024-05-27
1c1081d87
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022