mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 17:45:23 +00:00
3.6 KiB
3.6 KiB
| Title | Taskmgr as LOCAL_SYSTEM |
|---|---|
| Description | Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM |
| ATT&CK Tactic | |
| ATT&CK Technique | |
| Data Needed | |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | high |
| False Positives |
|
| Development Status | experimental |
| References | |
| Author | Florian Roth |
Detection Rules
Sigma rule
title: Taskmgr as LOCAL_SYSTEM
status: experimental
description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
author: Florian Roth
date: 2018/03/18
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
User: 'NT AUTHORITY\SYSTEM'
Image: '*\taskmgr.exe'
condition: selection
falsepositives:
- Unkown
level: high
Kibana query
(EventID:"1" AND User:"NT\\ AUTHORITY\\\\SYSTEM" AND Image.keyword:*\\\\taskmgr.exe)
X-Pack Watcher
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Taskmgr-as-LOCAL_SYSTEM <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"1\\" AND User:\\"NT\\\\ AUTHORITY\\\\\\\\SYSTEM\\" AND Image.keyword:*\\\\\\\\taskmgr.exe)",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Taskmgr as LOCAL_SYSTEM\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
Graylog
(EventID:"1" AND User:"NT AUTHORITY\\\\SYSTEM" AND Image:"*\\\\taskmgr.exe")