27 строки
1.4 KiB
YAML
27 строки
1.4 KiB
YAML
id: 60304ebf-ebdd-4869-a702-e0216d90ab46
|
|
name: Masquerading files
|
|
description: |
|
|
'Malware writers often use windows system process names for their malicious process names to make them blend
|
|
in with other legitimate commands that the Windows system executes.
|
|
An analyst can create a simple query looking for a process named svchost.exe.
|
|
It is recommended to filter out well-known security identifiers (SIDs) that are used to launch the legitimate svchost.exe process.
|
|
The query also filters out the legitimate locations from which svchost.exe is launched.'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- Execution
|
|
query: |
|
|
|
|
let timeframe = 1d;
|
|
SecurityEvent
|
|
| where TimeGenerated >= ago(timeframe)
|
|
| where NewProcessName endswith "\\svchost.exe"
|
|
| where SubjectUserSid !in ("S-1-5-18", "S-1-5-19", "S-1-5-20")
|
|
| where NewProcessName !contains ":\\Windows\\System32"
|
|
| where NewProcessName !contains ":\\Windows\\Syswow64"
|
|
| summarize minTimeGenerated=min(TimeGenerated), maxTimeGenerated=max(TimeGenerated), count() by Computer, SubjectUserName, NewProcessName, CommandLine, Account
|
|
| project minTimeGenerated , maxTimeGenerated , count_ , Computer , SubjectUserName , NewProcessName , CommandLine, Account
|
|
| extend timestamp = minTimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account
|
|
|