sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Redcannary process injection

Open frack113 opened this issue 1 year ago • 0 comments

Summary of the Pull Request

Add rules to try to detect the process injection methods available on atomic red team

Changelog

new: Potential Calc Injection new: Potential Explorer Injection

Example Log Event

SourceProcessGUID: {095b1fc8-7c26-6648-f105-000000002a00}
SourceProcessId: 9588
SourceThreadId: 4112
SourceImage: C:\AtomicRedTeam\atomics\T1055.011\bin\T1055.011_x64.exe
TargetProcessGUID: {095b1fc8-6415-6648-a600-000000002a00}
TargetProcessId: 4644
TargetImage: C:\WINDOWS\Explorer.EXE
GrantedAccess: 0x1FFFFF
CallTrace: C:\WINDOWS\SYSTEM32\ntdll.dll+9fe14|C:\WINDOWS\System32\KERNELBASE.dll+2c8ce|C:\AtomicRedTeam\atomics\T1055.011\bin\T1055.011_x64.exe+1056|C:\AtomicRedTeam\atomics\T1055.011\bin\T1055.011_x64.exe+12db|C:\AtomicRedTeam\atomics\T1055.011\bin\T1055.011_x64.exe+1628|C:\WINDOWS\System32\KERNEL32.DLL+1257d|C:\WINDOWS\SYSTEM32\ntdll.dll+5aa48
SourceUser: LAB\admin
TargetUser: LAB\frack113

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

frack113 avatar May 23 '24 18:05 frack113