action: global title: Defense evasion via process reimaging id: 7fa4f550-850e-4117-b543-428c86ebb849 description: Detects process reimaging defense evasion technique status: experimental author: Alexey Balandin, oscd.community references: - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/ tags: - attack.defense_evasion date: 2019/10/25 detection: condition: all of them falsepositives: - unknown level: high --- logsource: product: windows service: sysmon detection: selection1: category: process_creation fields: - Image - OriginalFileName - ParentProcessGuid new_fields: - ImageFileName --- logsource: product: windows service: sysmon detection: selection2: EventID: 11 fields: - ProcessGuid - TargetFilename