ThreatHunting icon indicating copy to clipboard operation
ThreatHunting copied to clipboard

Published 20 hours ago verified publisher icon olafhartong

Process Injection

Open cchansk opened this issue 2 years ago • 1 comments

Is there any reason for the "[[T1055] Process Injection]" and "[[T1055] Process Injection - CobaltStrike]" saved searches to not have the "| process_create_whitelist" in it and abide by the whitelist?

cchansk avatar Mar 02 '23 16:03 cchansk

those particular savedsearches are derived from eventcode 8 (create remote thread) and not eventcode 1 (process create).
It does seem conspicuous that no whitelist strategy is applied. I imagine the more applicable whitelist to apply would be "remote_thread_whitelist" rather than "process_create_whitelist"

dstaulcu avatar Mar 04 '23 18:03 dstaulcu