security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules-unsupported/sysmon_non_priv_program_files_move.yml
T
frack113 f01523d791 Integrity do not exist in file_event
2021-11-10 19:51:01 +01:00

33 lines
1.0 KiB
YAML
Raw Blame History

title: Files Dropped to Program Files by Non-Priviledged Process
id: d6d9f4fb-4c1c-4f53-b306-62a22c7c61e1
description: Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes
status: experimental
author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
date: 2020/10/17
modified: 2021/08/14
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-37-638.jpg
tags:
- attack.persistence
- attack.defense_evasion
- attack.t1574
- attack.t1574.010
logsource:
category: file_event
product: windows
detection:
integrity:
IntegrityLevel: 'Medium'
program_files:
TargetFilename|contains:
- '\Program Files\'
- '\Program Files (x86)\'
windows:
TargetFilename|startswith: '\Windows\'
temp:
TargetFilename|contains: 'temp'
condition: integrity and (program_files or windows and not temp)
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink