
Summary
This detection rule identifies potentially malicious activity by analyzing the names and patterns used in executable files or scripts that are commonly associated with hacking tools or malware. The rule targets characteristics in both the image path and the command line arguments of processes being created on Windows systems. It checks for specific strings or patterns often found in malicious samples, such as filenames containing 'CVE', 'poc.exe', 'artifact.exe', or common script names that hackers utilize to exploit or control systems. The conditions for detection are flexible, permitting one suspicious pattern to trigger an alert, reducing the risk of missing potentially harmful activity. False positives may arise from legitimate software tools that coincidentally match these patterns, which could result in alert fatigue if not monitored adequately. The rule is fundamental for enhancing endpoint security and helps to detect possible exploitation attempts or execution of malicious scripts.
Categories
- Endpoint
- Windows
Data Sources
- Process
ATT&CK Techniques
- T1560.001
Created: 2022-02-11