Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

Uncommon Process Access Rights For Target Image

Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems), François HubautCreated Mon May 27a24e5861-c6ca-4fde-a93c-ba9256feddf0windows
Log Source
WindowsProcess Access
ProductWindows← raw: windows
CategoryProcess Access← raw: process_access

Events when a process opens a handle to another process, commonly used for credential dumping via LSASS.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        TargetImage|endswith:
            # Note: Add additional uncommon targets to increase coverage.
            - '\calc.exe'
            - '\calculator.exe'
            - '\mspaint.exe'
            - '\notepad.exe'
            - '\ping.exe'
            - '\wordpad.exe'
            - '\write.exe'
        GrantedAccess: '0x1FFFFF' # PROCESS_ALL_ACCESS - All possible access rights for a process object.
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
a24e5861-c6ca-4fde-a93c-ba9256feddf0
Status
test
Level
low
Type
Detection
Created
Mon May 27
Author
Nasreddine Bencherchali (Nextron Systems), François Hubaut
Path
rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationattack.t1055.011
View on GitHub