Nasreddine Bencherchali
598d29f811
chore: change tags, date, modified fields to comply with v2 of the Sigma spec. chore: update the related type from `obsoletes` to `obsolete`. chore: update local json schema to the latest version.
30 lines
1013 B
YAML
30 lines
1013 B
YAML
title: Potential Fake Instance Of Hxtsr.EXE Executed
|
|
id: 4e762605-34a8-406d-b72e-c1a089313320
|
|
status: test
|
|
description: |
|
|
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.
|
|
HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files".
|
|
Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
|
|
references:
|
|
- Internal Research
|
|
author: Sreeman
|
|
date: 2020-04-17
|
|
modified: 2024-02-08
|
|
tags:
|
|
- attack.defense-evasion
|
|
- attack.t1036
|
|
logsource:
|
|
product: windows
|
|
category: process_creation
|
|
detection:
|
|
# TODO: Link this to the more generic system process rule
|
|
selection:
|
|
Image|endswith: '\hxtsr.exe'
|
|
filter_main_hxtsr:
|
|
Image|contains: ':\program files\windowsapps\microsoft.windowscommunicationsapps_'
|
|
Image|endswith: '\hxtsr.exe'
|
|
condition: selection and not 1 of filter_main_*
|
|
falsepositives:
|
|
- Unknown
|
|
level: medium
|