New Process Created Via Taskmgr.EXE
Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
Sigma rule (View on GitHub)
1title: New Process Created Via Taskmgr.EXE
2id: 3d7679bd-0c00-440c-97b0-3f204273e6c7
3status: test
4description: Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
5references:
6 - https://twitter.com/ReneFreingruber/status/1172244989335810049
7author: Florian Roth (Nextron Systems)
8date: 2018-03-13
9modified: 2024-01-18
10tags:
11 - attack.defense-evasion
12 - attack.t1036
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith: '\taskmgr.exe'
19 filter_main_generic:
20 Image|endswith:
21 - ':\Windows\System32\mmc.exe'
22 - ':\Windows\System32\resmon.exe'
23 - ':\Windows\System32\Taskmgr.exe'
24 condition: selection and not 1 of filter_main_*
25falsepositives:
26 - Administrative activity
27level: low
References
Related rules
- CreateDump Process Dump
- DumpMinitool Execution
- Explorer Process Tree Break
- Findstr Launching .lnk File
- HackTool - XORDump Execution