New Process Created Via Taskmgr.EXE
Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
Sigma rule (View on GitHub)
1title: New Process Created Via Taskmgr.EXE
2id: 3d7679bd-0c00-440c-97b0-3f204273e6c7
3status: test
4description: Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
5references:
6 - https://twitter.com/ReneFreingruber/status/1172244989335810049
7author: Florian Roth (Nextron Systems)
8date: 2018/03/13
9modified: 2024/01/18
10tags:
11 - attack.defense_evasion
12 - attack.t1036
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith: '\taskmgr.exe'
19 filter_main_generic:
20 Image|endswith:
21 - ':\Windows\System32\mmc.exe'
22 - ':\Windows\System32\resmon.exe'
23 - ':\Windows\System32\Taskmgr.exe'
24 condition: selection and not 1 of filter_main_*
25falsepositives:
26 - Administrative activity
27level: low
References
Related rules
- New or Renamed User Account with '$' Character
- Taskmgr as LOCAL_SYSTEM
- CodePage Modification Via MODE.COM To Russian Language
- Findstr Launching .lnk File
- System Control Panel Item Loaded From Uncommon Location