From 7229d3a7224527c5b45c872cbd597fca3f852144 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Fri, 15 Nov 2024 21:19:47 +0100
Subject: [PATCH] chore(rules): Improve Potential Process Hollowing rule

Increment the file view size to prevent enqueueing
partials that are not candidates for matching. Also,
remove the `pe.is_modified` condition as the sequence
should be enough strong indicator of process injection.
---
 ...efense_evasion_potential_process_hollowing_injection.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/defense_evasion_potential_process_hollowing_injection.yml b/rules/defense_evasion_potential_process_hollowing_injection.yml
index b2a7d6c28..63afea4db 100644
--- a/rules/defense_evasion_potential_process_hollowing_injection.yml
+++ b/rules/defense_evasion_potential_process_hollowing_injection.yml
@@ -1,6 +1,6 @@
 name: Potential Process Hollowing
 id: 2a3fbae8-5e8c-4b71-b9da-56c3958c0d53
-version: 1.0.0
+version: 1.1.0
 description: |
   Adversaries may inject malicious code into suspended and hollowed processes in order to
   evade process-based defenses. Process hollowing is a method of executing arbitrary code
@@ -30,8 +30,8 @@ condition: >
   sequence
   maxspan 2m
     |spawn_process| by ps.child.uuid
-    |unmap_view_of_section and file.view.size > 10000 and file.view.protection != 'READONLY' and (length(file.name) = 0 or not ext(file.name) = '.dll')| by ps.uuid
-    |load_executable and pe.is_modified| by ps.uuid
+    |unmap_view_of_section and file.view.size > 20000 and file.view.protection != 'READONLY' and (length(file.name) = 0 or not ext(file.name) = '.dll')| by ps.uuid
+    |load_executable| by ps.uuid
 action:
   - name: kill