Windows Binaries Executed from Non-Default Directory

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\Windows\, C:\Windows\System32 etc.). Ref: https://lolbas-project.github.io/

Attribute	Value
Type	Analytic Rule
Solution	Endpoint Threat Protection Essentials
ID	15049017-527f-4d3b-b011-b0e99e68ef45
Severity	Medium
Status	Available
Kind	Scheduled
Tactics	Execution
Techniques	T1059
Required Connectors	SecurityEvents, WindowsSecurityEvents
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
SecurityEvent	EventID == "4688"	✓	✓	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Endpoint Threat Protection Essentials