---
title: Potential Process Herpaderping Attempt
description: Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate an evasion attempt to execute...
url: https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/defense_evasion_potential_processherpaderping
products:
  - Elastic Security
---

# Potential Process Herpaderping Attempt
<warning>
  This rule has been deprecated as of 2023/12/15.
</warning>

Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate
an evasion attempt to execute malicious code in a stealthy way.
**Rule type**: eql
**Rule indices**:
- logs-endpoint.events.*
- winlogbeat-*
- logs-windows.*

**Rule Severity**: high
**Risk Score**: 73
**Runs every**: 
**Searches indices from**: `now-9m`
**Maximum alerts per execution**: 100
**References**:
- [[https://github.com/jxy-s/herpaderping](https://github.com/jxy-s/herpaderping)](https://github.com/jxy-s/herpaderping)

**Tags**:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Defense Evasion
- Data Source: Elastic Defend

**Version**: 105
**Rule authors**:
- Elastic

**Rule license**: Elastic License v2

## Rule Query

```eql
sequence with maxspan=5s
   [process where host.os.type == "windows" and event.type == "start" and not process.parent.executable :
      (
         "?:\\Windows\\SoftwareDistribution\\*.exe",
         "?:\\Program Files\\Elastic\\Agent\\data\\*.exe",
         "?:\\Program Files (x86)\\Trend Micro\\*.exe"
      )
   ] by host.id, process.executable, process.parent.entity_id
   [file where host.os.type == "windows" and event.type == "change" and event.action == "overwrite" and file.extension == "exe"] by host.id, file.path, process.entity_id
```

**Framework:** MITRE ATT&CK
- Tactic:
  - Name: Defense Evasion
- Id: TA0005
- Reference URL: [[https://attack.mitre.org/tactics/TA0005/](https://attack.mitre.org/tactics/TA0005/)](https://attack.mitre.org/tactics/TA0005/)
- Technique:
  - Name: Masquerading
- Id: T1036
- Reference URL: [[https://attack.mitre.org/techniques/T1036/](https://attack.mitre.org/techniques/T1036/)](https://attack.mitre.org/techniques/T1036/)