Renamed BrowserCore.EXE Execution

Aug 12, 2024 · attack.t1528 attack.t1036.003 ·

Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)

Sigma rule (View on GitHub)

 1title: Renamed BrowserCore.EXE Execution
 2id: 8a4519e8-e64a-40b6-ae85-ba8ad2177559
 3status: test
 4description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
 5references:
 6    - https://twitter.com/mariuszbit/status/1531631015139102720
 7author: Max Altgelt (Nextron Systems)
 8date: 2022-06-02
 9modified: 2023-02-03
10tags:
11    - attack.t1528
12    - attack.t1036.003
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        OriginalFileName: BrowserCore.exe
19    filter_realbrowsercore:
20        Image|endswith: '\BrowserCore.exe'
21    condition: selection and not 1 of filter_*
22falsepositives:
23    - Unknown
24level: high

References

x.com

Read More

Related rules

Anomalous Token
Anonymous IP Address
App Granted Microsoft Permissions
Application URI Configuration Changes
Delegated Permissions Granted For All Users

Renamed BrowserCore.EXE Execution

Sigma rule (View on GitHub)

References

x.com

Related rules