Renamed SysInternals DebugView Execution
Detects suspicious renamed SysInternals DebugView execution
Sigma rule (View on GitHub)
1title: Renamed SysInternals DebugView Execution
2id: cd764533-2e07-40d6-a718-cfeec7f2da7f
3status: test
4description: Detects suspicious renamed SysInternals DebugView execution
5references:
6 - https://www.epicturla.com/blog/sysinturla
7author: Florian Roth (Nextron Systems)
8date: 2020/05/28
9modified: 2023/02/14
10tags:
11 - attack.resource_development
12 - attack.t1588.002
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Product: 'Sysinternals DebugView'
19 filter:
20 OriginalFileName: 'Dbgview.exe'
21 Image|endswith: '\Dbgview.exe'
22 condition: selection and not filter
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- HackTool - PurpleSharp Execution
- Program Executions in Suspicious Folders
- ProxyLogon MSExchange OabVirtualDirectory
- Relevant ClamAV Message