Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@jsecurity101

jsecurity101/SQL Query for Process Reimaging

Created September 13, 2019 14:19
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save jsecurity101/d46cca09a1bf13e745e0389fde4e03c8 to your computer and use it in GitHub Desktop.
Save jsecurity101/d46cca09a1bf13e745e0389fde4e03c8 to your computer and use it in GitHub Desktop.
Download ZIP
Query ran to detect Process Reimaging behavior
Raw
SQL Query for Process Reimaging
SELECT
a.computer_name,
a.OriginalFileName,
a.LogonId,
b.ProcessId,
c.TargetFilename
FROM processreimaging a
JOIN processreimaging b
ON a.ProcessGuid = b.ProcessGuid
AND b.channel = "Microsoft-Windows-Sysmon/Operational"
AND b.event_id = 7
AND a.OriginalFileName = b.OriginalFileName
AND a.Image = b.ImageLoaded
JOIN processreimaging c
ON a.ParentProcessGuid = c.ProcessGuid
AND c.channel = "Microsoft-Windows-Sysmon/Operational"
AND c.event_id = 11
AND a.Image = c.TargetFilename
WHERE
a.channel = "Microsoft-Windows-Sysmon/Operational"
AND a.event_id = 1
AND a.IntegrityLevel = "High"
AND LOWER(a.OriginalFileName) != LOWER(substring_index(a.Image, '\\\\', -1))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment