Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Finds legitimate system32 or syswow64 executables being run under a different name and in a different location. The rule will require tuning for your environment. MITRE: Masquerading https://attack.mitre.org/techniques/T1036. Get a list of all processes run, except those run from system32 or SysWOW64.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | e1528e63-165f-4810-b2eb-24a181a3011e |
| Required Connectors | MicrosoftThreatProtection |
| Source | [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/Microsoft%20365%20Defender/Execution/Masquerading%20system%20executable.yaml) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊