Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This detection tries to identify all DLLs loaded by "high integrity" processes and cross-checks the DLL paths against FileCreate/FileModify events of the same DLL by a medium integrity process. Of course, we need to do some magic to filter out false positives as much as possible. So any FileCreate/FileModify done by "NT Authoriy\System" and the "RID 500" users aren't interesting. Also, we only want to see the FileCreate/FileModify actions which are performed with a default or limited token eleva
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | FalconFriday |
| ID | 3084b487-fad6-4000-9544-6085b9657290 |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | Persistence, PrivilegeEscalation, DefenseEvasion |
| Techniques | T1574.002 |
| Required Connectors | MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
DeviceFileEvents |
✓ | ✗ | ? | |
DeviceImageLoadEvents |
ActionType in "FileCreated,FileModified" |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊