valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a0efd7a4dc
SigmaHQ/rules/windows/process_creation/sysmon_high_integrity_sdclt.yml

24 lines
841 B
YAML
Raw Normal View History

update - GitHub Action / Test Sigma
2020-10-13 01:58:02 +00:00
title: High Integrity Sdclt Process
16 rules from DH APT29 day 1 - contributing soon
2020-10-12 22:13:13 +00:00
id: 40f9af16-589d-4984-b78d-8c2aec023197
description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
status: experimental
date: 2020/05/02
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1548.002
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/6
- https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html
logsource:
update - GitHub Action / Test Sigma
2020-10-13 02:11:01 +00:00
category: process_creation
16 rules from DH APT29 day 1 - contributing soon
2020-10-12 22:13:13 +00:00
product: windows
detection:
selection:
Image|endswith: 'sdclt.exe'
IntegrityLevel: 'High'
condition: selection
falsepositives:
- unknown
level: medium
Reference in New Issue Copy Permalink