From dd0ff465ed7d91598dad9d06e575ffa7a423aa93 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Thu, 20 Mar 2025 17:35:26 +0100 Subject: [PATCH] fix(rules): Add process executable exceptions for `Potential process injection via tainted memory section` rule --- ...l_process_injection_via_tainted_memory_section.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml b/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml index e9596f2bd..80d37319c 100644 --- a/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml +++ b/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml @@ -1,6 +1,6 @@ name: Potential process injection via tainted memory section id: 8e4182f3-02e7-4e95-afc3-93d18c9a9c09 -version: 1.0.0 +version: 1.0.1 description: | Identifies potential process injection when the adversary creates and maps a memory section with RW protection rights followed by mapping of the same memory section in @@ -25,7 +25,14 @@ condition: > |map_view_of_section and file.view.protection = 'READWRITE' and kevt.pid != 4 and file.view.size >= 4096 and not ps.exe imatches ( '?:\\Program Files\\*.exe', - '?:\\Program Files (x86)\\*.exe' + '?:\\Program Files (x86)\\*.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\NisSrv.exe', + '?:\\WINDOWS\\System32\\csrss.exe', + '?:\\WINDOWS\\Explorer.exe', + '?:\\WINDOWS\\System32\\svchost.exe', + '?:\\WINDOWS\\System32\\lsass.exe', + '?:\\WINDOWS\\System32\\SecurityHealthService.exe' ) | as e1 |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and file.key = $e1.file.key and kevt.pid != $e1.kevt.pid|