Suspicious Application Installed

Oct 17, 2023 · attack.execution ·

Detects suspicious application installed by looking at the added shortcut to the app resolver cache

Sigma rule (View on GitHub)

 1title: Suspicious Application Installed
 2id: 83c161b6-ca67-4f33-8ad0-644a0737cf07
 3status: test
 4description: Detects suspicious application installed by looking at the added shortcut to the app resolver cache
 5references:
 6    - https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/08/14
 9tags:
10    - attack.execution
11logsource:
12    product: windows
13    service: shell-core
14detection:
15    selection_name:
16        EventID: 28115
17        Name|contains:
18            # Please add more
19            - 'Zenmap'
20            - 'AnyDesk'
21            - 'wireshark'
22            - 'openvpn'
23    selection_packageid:
24        EventID: 28115
25        AppID|contains:
26            # Please add more
27            - 'zenmap.exe'
28            - 'prokzult ad' # AnyDesk
29            - 'wireshark'
30            - 'openvpn'
31    condition: 1 of selection_*
32falsepositives:
33    - Packages or applications being legitimately used by users or administrators
34level: medium

References

Finding Forensic Goodness In Obscure Windows Event Logs

Digital Forensics and Threat Hunting for Artifacts In Obscure Windows Event Logs

Read More

Suspicious Application Installed

Sigma rule (View on GitHub)

References

Finding Forensic Goodness In Obscure Windows Event Logs

Related rules