Suspicious Application Installed
Detects suspicious application installed by looking at the added shortcut to the app resolver cache
Sigma rule (View on GitHub)
1title: Suspicious Application Installed
2id: 83c161b6-ca67-4f33-8ad0-644a0737cf07
3status: test
4description: Detects suspicious application installed by looking at the added shortcut to the app resolver cache
5references:
6 - https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-14
9tags:
10 - attack.execution
11logsource:
12 product: windows
13 service: shell-core
14detection:
15 selection_name:
16 EventID: 28115
17 Name|contains:
18 # Please add more
19 - 'Zenmap'
20 - 'AnyDesk'
21 - 'wireshark'
22 - 'openvpn'
23 selection_packageid:
24 EventID: 28115
25 AppID|contains:
26 # Please add more
27 - 'zenmap.exe'
28 - 'prokzult ad' # AnyDesk
29 - 'wireshark'
30 - 'openvpn'
31 condition: 1 of selection_*
32falsepositives:
33 - Packages or applications being legitimately used by users or administrators
34level: medium
References
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change