
Summary
The rule "Single Letter Process On Endpoint" is designed to detect processes on endpoints whose names consist of a single letter, a behavior often associated with malware or evasion tactics adopted by attackers. This analytic utilizes data from Endpoint Detection and Response (EDR) sources, including Sysmon EventID 1 and Windows Event Log Security 4688, to closely monitor process names and their execution commands.
Categories
- Endpoint
Data Sources
- Pod
- Process
- Windows Registry
ATT&CK Techniques
- T1204
- T1204.002
Created: 2024-12-10