New Process Created Via Taskmgr.EXE

calendar Aug 12, 2024 · attack.defense-evasion attack.t1036  ·
Share on: linkedin copy

Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC

Sigma rule (View on GitHub)

 1title: New Process Created Via Taskmgr.EXE
 2id: 3d7679bd-0c00-440c-97b0-3f204273e6c7
 3status: test
 4description: Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
 5references:
 6    - https://twitter.com/ReneFreingruber/status/1172244989335810049
 7author: Florian Roth (Nextron Systems)
 8date: 2018-03-13
 9modified: 2024-01-18
10tags:
11    - attack.defense-evasion
12    - attack.t1036
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        ParentImage|endswith: '\taskmgr.exe'
19    filter_main_generic:
20        Image|endswith:
21            - ':\Windows\System32\mmc.exe'
22            - ':\Windows\System32\resmon.exe'
23            - ':\Windows\System32\Taskmgr.exe'
24    condition: selection and not 1 of filter_main_*
25falsepositives:
26    - Administrative activity
27level: low

References

Related rules

to-top