
Summary
The "Suspicious File Write" detection rule is designed to identify potentially malicious file creation activities on endpoint systems. It utilizes Sysmon EventID 11 to monitor file writes and applies a filtering mechanism based on a lookup file containing names historically associated with malicious behavior. The rule aggregates event data to track filesystem activities, capturing the number of actions and the specific file paths involved. By analyzing last and first access times, it allows security analysts to distinguish between unusual and regular file activities. If an unauthorized or suspicious file creation is detected, it should be further investigated to determine its legitimacy, especially considering the presence of known false positives arising from legitimate processes using similar file names.
Categories
- Endpoint
Data Sources
- File
Created: 2024-11-14