
Summary
The detection rule titled 'PUA - Seatbelt Execution' is designed to identify the execution of the 'Seatbelt' tool, a potentially unwanted application (PUA) that is commonly used for reconnaissance during penetration testing and malicious activities. This rule analyzes process creation events in Windows systems and focuses on specific indicators, such as the command line parameters and PE (Portable Executable) attributes of the executed processes. Key detection criteria include checks for the file path suffix of 'Seatbelt.exe', its original file name, descriptions linking to 'Seatbelt', and crucial command line arguments that may point to various data collection functionalities of the tool. The detection logic uses a combination of conditions to ensure that any instance of this tool being executed is flagged, weighing heavily on its potential malicious usage while also accounting for low rates of false positives, thus ensuring a high detection level without disrupting benign operations. The rule is valuable for incident response teams and security analysts seeking to enhance their monitoring practices against reconnaissance activities that might indicate an ongoing attack.
Categories
- Endpoint
- Windows
Data Sources
- Process
- Application Log
Created: 2022-10-18