valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
725ab99e90
SigmaHQ/rules/windows/process_creation/win_susp_taskmgr_parent.yml

24 lines
516 B
YAML
Raw Normal View History

Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 22:36:31 +00:00
title: Taskmgr as Parent
status: experimental
description: Detects the creation of a process from Windows task manager
author: Florian Roth
date: 2018/03/13
logsource:
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4
2019-03-01 23:14:20 +00:00
category: process_creation
product: windows
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 22:36:31 +00:00
detection:
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4
2019-03-01 23:14:20 +00:00
selection:
ParentImage: '*\taskmgr.exe'
filter:
Image:
- resmon.exe
- mmc.exe
condition: selection and not filter
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 22:36:31 +00:00
fields:
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4
2019-03-01 23:14:20 +00:00
- Image
- CommandLine
- ParentCommandLine
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 22:36:31 +00:00
falsepositives:
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4
2019-03-01 23:14:20 +00:00
- Administrative activity
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 22:36:31 +00:00
level: low
Reference in New Issue Copy Permalink