EXPLORE
← Back to Explore
sigmahighHunting

Execution Of Non-Existing File

Detects process creation events where the Image field lacks an absolute path, which occurs when the backing file no longer exists on disk at the time of logging - commonly caused by Process Ghosting or other unorthodox process creation techniques.

MITRE ATT&CK

privilege-escalation

Detection Query

filter_main_image_absolute_path:
  Image|contains: \
filter_optional_null:
  Image: null
filter_optional_empty:
  Image:
    - "-"
    - ""
filter_optional_4688:
  - Image:
      - MemCompression
      - Registry
      - System
      - vmmem
      - vmmemWSL
  - CommandLine:
      - MemCompression
      - Registry
      - vmmem
      - vmmemWSL
condition: not 1 of filter_main_* and not 1 of filter_optional_*

Author

Max Altgelt (Nextron Systems)

Created

2021-12-09

Data Sources

windowsProcess Creation Events

Platforms

windows

Tags

attack.stealthattack.privilege-escalationattack.t1055
Raw Content
title: Execution Of Non-Existing File
id: 71158e3f-df67-472b-930e-7d287acaa3e1
status: test
description: |
    Detects process creation events where the Image field lacks an absolute path,
    which occurs when the backing file no longer exists on disk at the time of
    logging - commonly caused by Process Ghosting or other unorthodox process creation techniques.
references:
    - https://pentestlaboratories.com/2021/12/08/process-ghosting/
    - https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack
author: Max Altgelt (Nextron Systems)
date: 2021-12-09
modified: 2026-07-05
tags:
    - attack.stealth
    - attack.privilege-escalation
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    filter_main_image_absolute_path:
        Image|contains: '\'
    filter_optional_null:
        Image: null
    filter_optional_empty:
        Image:
            - '-'
            - ''
    filter_optional_4688:
        - Image:
              - 'MemCompression'
              - 'Registry'
              - 'System'
              - 'vmmem'
              - 'vmmemWSL'
        - CommandLine:
              - 'MemCompression'
              - 'Registry'
              - 'vmmem'
              - 'vmmemWSL'
    condition: not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high