valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
87ce07088f
SigmaHQ/rules/windows/builtin/win_susp_run_locations.yml

39 lines
1.0 KiB
YAML
Raw Blame History

action: global
title: Suspicious Process Start Locations
description: Detects suspicious process run from unusual locations
status: experimental
references:
- https://car.mitre.org/wiki/CAR-2013-05-002
author: juju4
tags:
- attack.defense_evasion
- attack.t1036
detection:
selection:
CommandLine:
- "*:\\RECYCLER\\*"
- "*:\\SystemVolumeInformation\\*"
- "%windir%\\Tasks\\*"
- "%systemroot%\\debug\\*"
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
# Windows Audit Log
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
Reference in New Issue View Git Blame Copy Permalink