← Back to SOC feed Coverage →

Process Launched Without Image Name

sigma MEDIUM SigmaHQ
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-21T23:00:01Z · Confidence: medium

Hunt Hypothesis

Detect the use of processes with no name (“.exe”), which can be used to evade Image-based detections.

Detection Rule

Sigma (Original)

title: Process Launched Without Image Name
id: f208d6d8-d83a-4c2c-960d-877c37da84e5
status: test
description: Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
references:
    - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Matt Anderson (Huntress)
date: 2024-07-23
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\.exe'
    condition: selection
falsepositives:
    - Rare legitimate software.
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "\\.exe"

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml