Renamed SysInternals DebugView Execution
Detects suspicious renamed SysInternals DebugView execution
Sigma rule (View on GitHub)
1title: Renamed SysInternals DebugView Execution
2id: cd764533-2e07-40d6-a718-cfeec7f2da7f
3status: test
4description: Detects suspicious renamed SysInternals DebugView execution
5references:
6 - https://www.epicturla.com/blog/sysinturla
7author: Florian Roth (Nextron Systems)
8date: 2020-05-28
9modified: 2023-02-14
10tags:
11 - attack.resource-development
12 - attack.t1588.002
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Product: 'Sysinternals DebugView'
19 filter:
20 OriginalFileName: 'Dbgview.exe'
21 Image|endswith: '\Dbgview.exe'
22 condition: selection and not filter
23falsepositives:
24 - Unknown
25level: high
References
-
Today’s threat actor of choice is one of my favorites, Turla (namesake of this blog). This short ‘tipper’ will discuss Kazuar and a universal love for Mark Russinovich’s SysInternal Tools.
Read More
Related rules
- PUA - Sysinternal Tool Execution - Registry
- PUA - Sysinternals Tools Execution - Registry
- Potential Execution of Sysinternals Tools
- Suspicious Execution Of Renamed Sysinternals Tools - Registry
- Suspicious Keyboard Layout Load