
Summary
This detection rule identifies uncommon child processes spawned by Setres.EXE, a Windows server utility used to set screen resolutions. The rule's primary focus is on detecting instances where Setres.EXE, which is legitimate, launches an atypical child process named 'choice', specifically variants that may indicate abuse or misuse. Setres.EXE may be exploited by attackers to execute arbitrary files named 'choice' from the current execution path, potentially leading to elevation of privileges or execution of malicious payloads. The detection logic is structured under a process creation log source, validating whether the parent process ends with '\setres.exe' and ensuring the child process image contains '\choice'. Moreover, it incorporates a filtering mechanism to ensure that legitimate executions from known paths (i.e., System32 and SysWOW64) are excluded. The rule has a high alert level, targeted towards mitigating risks tied to using Setres.EXE in a malicious context, and it acknowledges a low likelihood of false positives, reinforcing its reliability in environments where Setres.EXE is operational.
Categories
- Windows
- Endpoint
Data Sources
- Process
Created: 2022-12-11