Suspicious command line tokens in LolBins or LolScripts

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This query identifies Microsoft-signed Binaries and Scripts that are not system initiated. This technique is commonly used in phishing attacks.

Attribute Value
Type Hunting Query
Solution Windows Security Events
ID 6cdef739-18f6-4b3a-8fdc-93e9a4302dbf
Severity Medium
Tactics Execution
Techniques T1218
Required Connectors SecurityEvents
Source View on GitHub

Tables Used

This content item queries data from the following tables:

Table Selection Criteria Transformations Ingestion API Lake-Only
SecurityEvent EventID == "4688" ?

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Hunting Queries · Back to Windows Security Events