Rule Library

Sigma Rules

1 rule found

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Category

Detectionmediumtest

Potential Process Hollowing Activity

Detects when a memory process image does not match the disk image, indicative of process hollowing.

Windowsprocess_tampering

TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055.012 · Process Hollowing

Christopher Peacock+2Tue Jan 25windows