Suspicious ConfigSecurityPolicy Execution
Upload file, credentials or data exfiltration with Binary part of Windows Defender
Sigma rule (View on GitHub)
1title: Suspicious ConfigSecurityPolicy Execution
2id: 1f0f6176-6482-4027-b151-00071af39d7e
3status: test
4description: Upload file, credentials or data exfiltration with Binary part of Windows Defender
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/
7author: frack113
8date: 2021/11/26
9modified: 2022/05/16
10tags:
11 - attack.exfiltration
12 - attack.t1567
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 lolbas:
18 - CommandLine|contains: ConfigSecurityPolicy.exe
19 - Image|endswith: '\ConfigSecurityPolicy.exe'
20 - OriginalFileName: 'ConfigSecurityPolicy.exe'
21 remote:
22 CommandLine|contains:
23 - 'https://'
24 - 'http://'
25 - 'ftp://'
26 condition: lolbas and remote
27falsepositives:
28 - Unknown
29level: medium
References
-
Download: INetCache INetCache downloaders typically store files in a randomly-named folder under %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE, having added [1] or a higher number between the file'...
Read More
Related rules
- Communication To Ngrok Tunneling Service - Linux
- LOLBAS Data Exfiltration by DataSvcUtil.exe
- AWS EC2 VM Export Failure
- AWS RDS Master Password Change
- Email Exifiltration Via Powershell