security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
01dc930c173e329c191245b76f05de5fa4b5da21
blue-team-tools/rules/windows/file_event/sysmon_creation_system_file.yml
T
phantinuss 4b18d5e45c chore: set status to test
2021-10-29 09:57:19 +02:00

61 lines
1.8 KiB
YAML
Executable File
Raw Blame History

title: File Created with System Process Name
id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
status: test
description: Detects the creation of an executable with a system process name in a suspicious folder
author: Sander Wiebing
date: 2020/05/26
modified: 2021/10/28
tags:
- attack.defense_evasion
- attack.t1036 # an old one
- attack.t1036.005
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '\svchost.exe'
- '\rundll32.exe'
- '\services.exe'
- '\powershell.exe'
- '\regsvr32.exe'
- '\spoolsv.exe'
- '\lsass.exe'
- '\smss.exe'
- '\csrss.exe'
- '\conhost.exe'
- '\wininit.exe'
- '\lsm.exe'
- '\winlogon.exe'
- '\explorer.exe'
- '\taskhost.exe'
- '\Taskmgr.exe'
- '\taskmgr.exe'
- '\sihost.exe'
- '\RuntimeBroker.exe'
- '\runtimebroker.exe'
- '\smartscreen.exe'
- '\dllhost.exe'
- '\audiodg.exe'
- '\wlanext.exe'
filter1:
TargetFilename|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWow64\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\winsxs\'
- 'C:\Windows\WinSxS\'
- '\SystemRoot\System32\'
Image|endswith: '\Windows\System32\dism.exe'
filter2:
TargetFilename|startswith: 'C:\$WINDOWS.~BT\'
Image: 'C:\$WINDOWS.~BT\Sources\SetupHost.exe'
condition: selection and not filter1 and not filter2
fields:
- Image
falsepositives:
- System processes copied outside the default folder
level: high
Reference in New Issue View Git Blame Copy Permalink