mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 02:08:54 +00:00
27 lines
793 B
YAML
27 lines
793 B
YAML
title: Suspicious Program Location Process Starts
|
|
status: experimental
|
|
description: Detects programs running in suspicious files system locations
|
|
references:
|
|
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
|
|
author: Florian Roth
|
|
date: 2019/01/15
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection:
|
|
EventID: 1
|
|
Image:
|
|
# - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows
|
|
- '*\$Recycle.bin'
|
|
- '*\Users\Public\\*'
|
|
- 'C:\Perflogs\\*'
|
|
- '*\Windows\Fonts\\*'
|
|
- '*\Windows\IME\\*'
|
|
- '*\Windows\addins\\*'
|
|
- '*\Windows\debug\\*'
|
|
condition: selection
|
|
falsepositives:
|
|
- unknown
|
|
level: high
|