IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential Process Herpaderping Attempt
editPotential Process Herpaderping Attempt
editIdentifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate an evasion attempt to execute malicious code in a stealthy way.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- winlogbeat-*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Defense Evasion
Version: 104
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editsequence with maxspan=5s [process where host.os.type == "windows" and event.type == "start" and not process.parent.executable : ( "?:\\Windows\\SoftwareDistribution\\*.exe", "?:\\Program Files\\Elastic\\Agent\\data\\*.exe", "?:\\Program Files (x86)\\Trend Micro\\*.exe" ) ] by host.id, process.executable, process.parent.entity_id [file where host.os.type == "windows" and event.type == "change" and event.action == "overwrite" and file.extension == "exe"] by host.id, file.path, process.entity_id
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Masquerading
- ID: T1036
- Reference URL: https://attack.mitre.org/techniques/T1036/