Taskmgr as LOCAL_SYSTEM
Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
Sigma rule (View on GitHub)
1title: Taskmgr as LOCAL_SYSTEM
2id: 9fff585c-c33e-4a86-b3cd-39312079a65f
3status: test
4description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
5references:
6 - Internal Research
7author: Florian Roth (Nextron Systems)
8date: 2018-03-18
9modified: 2022-05-27
10tags:
11 - attack.defense-evasion
12 - attack.t1036
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 User|contains: # covers many language settings
19 - 'AUTHORI'
20 - 'AUTORI'
21 Image|endswith: '\taskmgr.exe'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- CreateDump Process Dump
- DumpMinitool Execution
- Explorer Process Tree Break
- Findstr Launching .lnk File
- HackTool - XORDump Execution