Renamed BrowserCore.EXE Execution
Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
Sigma rule (View on GitHub)
1title: Renamed BrowserCore.EXE Execution
2id: 8a4519e8-e64a-40b6-ae85-ba8ad2177559
3status: test
4description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
5references:
6 - https://twitter.com/mariuszbit/status/1531631015139102720
7author: Max Altgelt (Nextron Systems)
8date: 2022-06-02
9modified: 2023-02-03
10tags:
11 - attack.credential-access
12 - attack.defense-evasion
13 - attack.t1528
14 - attack.t1036.003
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 OriginalFileName: BrowserCore.exe
21 filter_realbrowsercore:
22 Image|endswith: '\BrowserCore.exe'
23 condition: selection and not 1 of filter_*
24falsepositives:
25 - Unknown
26level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Active Directory Certificate Services Denied Certificate Enrollment Request
- Mount Execution With Hidepid Parameter
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- Insensitive Subfolder Search Via Findstr.EXE
- Remote File Download Via Findstr.EXE