Taskmgr as LOCAL_SYSTEM

Aug 12, 2024 · attack.defense-evasion attack.t1036 ·

Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM

Sigma rule (View on GitHub)

 1title: Taskmgr as LOCAL_SYSTEM
 2id: 9fff585c-c33e-4a86-b3cd-39312079a65f
 3status: test
 4description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
 5references:
 6    - Internal Research
 7author: Florian Roth (Nextron Systems)
 8date: 2018-03-18
 9modified: 2022-05-27
10tags:
11    - attack.defense-evasion
12    - attack.t1036
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        User|contains: # covers many language settings
19            - 'AUTHORI'
20            - 'AUTORI'
21        Image|endswith: '\taskmgr.exe'
22    condition: selection
23falsepositives:
24    - Unknown
25level: high

References

Internal Research

Read More

Related rules

CodePage Modification Via MODE.COM To Russian Language
CreateDump Process Dump
DumpMinitool Execution
Explorer Process Tree Break
Findstr Launching .lnk File