Add more processes
This commit is contained in:
Nasreddine Bencherchali
@@ -4,9 +4,9 @@ status: experimental
|
||||
description: Detects a Windows program executable started in a suspicious folder
|
||||
references:
|
||||
- https://twitter.com/GelosSnake/status/934900723426439170
|
||||
author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community
|
||||
author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali
|
||||
date: 2017/11/27
|
||||
modified: 2021/05/23
|
||||
modified: 2022/07/03
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1036
|
||||
@@ -20,6 +20,7 @@ detection:
|
||||
- '\rundll32.exe'
|
||||
- '\services.exe'
|
||||
- '\powershell.exe'
|
||||
- '\powershell_ise.exe'
|
||||
- '\regsvr32.exe'
|
||||
- '\spoolsv.exe'
|
||||
- '\lsass.exe'
|
||||
@@ -38,6 +39,31 @@ detection:
|
||||
- '\dllhost.exe'
|
||||
- '\audiodg.exe'
|
||||
- '\wlanext.exe'
|
||||
- '\dashost.exe'
|
||||
- '\schtasks.exe'
|
||||
- '\cscript.exe'
|
||||
- '\wscript.exe'
|
||||
- '\wsl.exe'
|
||||
- '\bitsadmin.exe'
|
||||
- '\atbroker.exe'
|
||||
- '\bcdedit.exe'
|
||||
- '\certutil.exe'
|
||||
- '\certreq.exe'
|
||||
- '\cmstp.exe'
|
||||
- '\conhost.exe'
|
||||
- '\consent.exe'
|
||||
- '\defrag.exe'
|
||||
- '\dism.exe'
|
||||
- '\dllhst3g.exe'
|
||||
- '\eventvwr.exe'
|
||||
- '\msiexec.exe'
|
||||
- '\runonce.exe'
|
||||
- '\winver.exe'
|
||||
- '\logonui.exe'
|
||||
- '\userinit.exe'
|
||||
- '\dwm.exe'
|
||||
- '\LsaIso.exe'
|
||||
- '\ntoskrnl.exe'
|
||||
filter:
|
||||
- Image|startswith:
|
||||
- 'C:\Windows\System32\'
|
||||
|
||||
Reference in New Issue
Block a user