security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b24e863a1ca78d00eccee2076b2ee671b8a3f2ff
blue-team-tools/rules/windows/sysmon/sysmon_file_executable.yml
T
Nasreddine Bencherchali 1e02a7db4c Apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2023-07-20 15:47:14 +02:00

22 lines
723 B
YAML
Raw Blame History

title: Sysmon File Executable Creation Detected
id: 693a44e9-7f26-4cb6-b787-214867672d3a
status: experimental
description: Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36
author: frack113
date: 2023/07/20
tags:
- attack.defense_evasion
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 29 # this is fine, we want to match any FileBlockShredding event
condition: selection
falsepositives:
- Unlikely
level: medium
Reference in New Issue View Git Blame Copy Permalink