rabbitstack · rabbitstack · Mar 25, 2025 · Mar 20, 2025
diff --git a/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml b/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml
@@ -1,6 +1,6 @@
 name: Potential process injection via tainted memory section
 id: 8e4182f3-02e7-4e95-afc3-93d18c9a9c09
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies potential process injection when the adversary creates and maps a memory
   section with RW protection rights followed by mapping of the same memory section in
@@ -25,7 +25,14 @@ condition: >
     |map_view_of_section and file.view.protection = 'READWRITE' and kevt.pid != 4 and file.view.size >= 4096 and not ps.exe imatches 
       (
         '?:\\Program Files\\*.exe', 
-        '?:\\Program Files (x86)\\*.exe'
+        '?:\\Program Files (x86)\\*.exe',
+        '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
+        '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\NisSrv.exe',
+        '?:\\WINDOWS\\System32\\csrss.exe',
+        '?:\\WINDOWS\\Explorer.exe',
+        '?:\\WINDOWS\\System32\\svchost.exe',
+        '?:\\WINDOWS\\System32\\lsass.exe',
+        '?:\\WINDOWS\\System32\\SecurityHealthService.exe'
       )
     | as e1
     |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and file.key = $e1.file.key and kevt.pid != $e1.kevt.pid|