Process Launched Without Image Name

Rule Info

Name
Process Launched Without Image Name
Author
Matt Anderson (Huntress)
Description
Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
Reference
https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
Date
2024-07-23 00:00:00
Modified
None
Id
f208d6d8-d83a-4c2c-960d-877c37da84e5
Tags
attack.defense-evasion DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=f208d6d8-d83a-4c2c-960d-877c37da84e5

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Matt Anderson
Merge PR #4919 from @MATTANDERS0N - Added new detections related BOINC
2024-07-23
6df2ba31b
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022