Files Dropped to Program Files by Non-Priviledged Process

calendar Apr 21, 2023 · attack.persistence attack.defense_evasion attack.t1574 attack.t1574.010  ·
Share on: linkedin copy

Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes

Sigma rule (View on GitHub)

 1title: Files Dropped to Program Files by Non-Priviledged Process
 2id: d6d9f4fb-4c1c-4f53-b306-62a22c7c61e1
 3description: Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes
 4status: experimental
 5author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
 6date: 2020/10/17
 7modified: 2021/08/14
 8references:
 9    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-37-638.jpg
10tags:
11    - attack.persistence
12    - attack.defense_evasion
13    - attack.t1574
14    - attack.t1574.010
15logsource:
16    category: file_event
17    product: windows
18detection:
19    integrity:
20        IntegrityLevel: 'Medium'
21    program_files:
22        TargetFilename|contains:
23            - '\Program Files\'
24            - '\Program Files (x86)\'
25    windows:
26        TargetFilename|startswith: '\Windows\'
27    temp:
28        TargetFilename|contains: 'temp'
29    condition: integrity and (program_files or windows and not temp)
30falsepositives:
31    - Unknown
32level: medium

References

  • ÿØÿàJFIFÿâICC_PROFILE lcmsmntrRGB XYZ Ü)9acspAPPLöÖÓ-lcms descü^cprt\ wtpthbkpt|rXYZ�gXYZ¤bXYZ¸rTRCÌ@gTRCÌ@bTRCÌ@descc2textFBXYZ öÖÓ-XYZ 3¤XYZ o¢8õ�XYZ b™·…ÚX...


    Read More

Related rules

to-top