Modified Executable - Connection from an In-Memory Modified Executable
Hello everyone
Recently i have started to receive logs with "Modified Executable - Connection from an In-Memory Modified Executable" rule. I did not manage to find information about this rule on the internet but still want to understand what this event means, which behaviour triggers this rule, is this something malicious or i shouldnt worry about it at all?
Here is full log:
<133>1 2023-09-25T10:42:01.000Z forti10.fortiedr.com FortiEDR - - - Message Type: Security Event;Organization: ;Organization ID: ;Event ID: 33649969;Raw Data ID: 1932815690;Device Name: ;Device State: Running;Operating System: Windows 10 Pro;Process Name: rooksbas.dll;Process Path: \Device\HarddiskVolume3\Program Files (x86)\Trusteer\Rapport\bin\rooksbas.dll;Process Type: 32bit;Severity: Medium;Classification: Likely Safe;Destination: 41.72.45.1;First Seen: 22-Sep-2023, 18:26:21;Last Seen: 25-Sep-2023, 12:42:01;Action: Blocked;Count: 92;Certificate: yes;Rules List: Modified Executable - Connection from an In-Memory Modified Executable;Users: N/A;MAC Address: 75-EE-34-CB-21-E1;Script: N/A;Script Path: N/A;Autonomous System: 8075 MICROSOFT-CORP-MSN-AS-BLOCK;Country: Netherlands;Process Hash: 13FC7A6CE7B1AEAB65E46E0BC245F9DB88B57B17;Source IP: 10.0.61.19;Threat Name: Unknown;Threat Family: Unknown;Threat Type: Unknown;Remediation Processes: N/A;Remediation Files: N/A;MITRE techniques: N/A;Target: \Device\HarddiskVolume3\Windows\System32\drivers\msseccore.sys, \Device\HarddiskVolume3\Windows\System32\wininit.exe, \Device\HarddiskVolume3\Windows\System32\smss.exe, \Device\HarddiskVolume3\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe, \Device\HarddiskVolume3\Windows\System32\services.exe;Command line: 000000cc 00000088 ;Remote Connection: N/A
