Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Finds legitimate system32 or syswow64 executables being run under a different name and in a different location. The rule will require tuning for your environment. MITRE: Masquerading https://attack.mitre.org/techniques/T1036. Get a list of all processes run, except those run from system32 or SysWOW64.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | e1528e63-165f-4810-b2eb-24a181a3011e |
| Required Connectors | MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
DeviceProcessEvents |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊