← Back to Explore
sigmahighHunting
Execution Of Non-Existing File
Detects process creation events where the Image field lacks an absolute path, which occurs when the backing file no longer exists on disk at the time of logging - commonly caused by Process Ghosting or other unorthodox process creation techniques.
Detection Query
filter_main_image_absolute_path:
Image|contains: \
filter_optional_null:
Image: null
filter_optional_empty:
Image:
- "-"
- ""
filter_optional_4688:
- Image:
- MemCompression
- Registry
- System
- vmmem
- vmmemWSL
- CommandLine:
- MemCompression
- Registry
- vmmem
- vmmemWSL
condition: not 1 of filter_main_* and not 1 of filter_optional_*
Author
Max Altgelt (Nextron Systems)
Created
2021-12-09
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.stealthattack.privilege-escalationattack.t1055
Raw Content
title: Execution Of Non-Existing File
id: 71158e3f-df67-472b-930e-7d287acaa3e1
status: test
description: |
Detects process creation events where the Image field lacks an absolute path,
which occurs when the backing file no longer exists on disk at the time of
logging - commonly caused by Process Ghosting or other unorthodox process creation techniques.
references:
- https://pentestlaboratories.com/2021/12/08/process-ghosting/
- https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack
author: Max Altgelt (Nextron Systems)
date: 2021-12-09
modified: 2026-07-05
tags:
- attack.stealth
- attack.privilege-escalation
- attack.t1055
logsource:
category: process_creation
product: windows
detection:
filter_main_image_absolute_path:
Image|contains: '\'
filter_optional_null:
Image: null
filter_optional_empty:
Image:
- '-'
- ''
filter_optional_4688:
- Image:
- 'MemCompression'
- 'Registry'
- 'System'
- 'vmmem'
- 'vmmemWSL'
- CommandLine:
- 'MemCompression'
- 'Registry'
- 'vmmem'
- 'vmmemWSL'
condition: not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high