Renamed BrowserCore.EXE Execution

calendar Dec 1, 2023 · attack.t1528 attack.t1036.003  ·
Share on: linkedin copy

Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)

Sigma rule (View on GitHub)

 1title: Renamed BrowserCore.EXE Execution
 2id: 8a4519e8-e64a-40b6-ae85-ba8ad2177559
 3status: test
 4description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
 5references:
 6    - https://twitter.com/mariuszbit/status/1531631015139102720
 7author: Max Altgelt (Nextron Systems)
 8date: 2022/06/02
 9modified: 2023/02/03
10tags:
11    - attack.t1528
12    - attack.t1036.003
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        OriginalFileName: BrowserCore.exe
19    filter_realbrowsercore:
20        Image|endswith: '\BrowserCore.exe'
21    condition: selection and not 1 of filter_*
22falsepositives:
23    - Unknown
24level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top