CyberArkEPM - Renamed Windows binary
| Id | 9281b7cc-8f05-45a9-bf10-17fb29492a84 |
| Rulename | CyberArkEPM - Renamed Windows binary |
| Description | Detects renamed windows binaries. |
| Severity | High |
| Tactics | Execution DefenseEvasion |
| Techniques | T1204 T1036 |
| Required data connectors | CyberArkEPM |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRenamedWindowsBinary.yaml |
| Version | 1.0.0 |
| Arm template | 9281b7cc-8f05-45a9-bf10-17fb29492a84.json |
CyberArkEPM
| where EventSubType != 'AttackAttempt'
| where ActingProcessName has @'\'
| where ActingProcessName !has ActingProcessFileInternalName
| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName
| extend AccountCustomEntity = ActorUsername
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRenamedWindowsBinary.yaml
query: |
CyberArkEPM
| where EventSubType != 'AttackAttempt'
| where ActingProcessName has @'\'
| where ActingProcessName !has ActingProcessFileInternalName
| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName
| extend AccountCustomEntity = ActorUsername
requiredDataConnectors:
- dataTypes:
- CyberArkEPM
connectorId: CyberArkEPM
tactics:
- Execution
- DefenseEvasion
name: CyberArkEPM - Renamed Windows binary
relevantTechniques:
- T1204
- T1036
severity: High
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
entityType: Account
queryFrequency: 1h
description: |
'Detects renamed windows binaries.'
triggerThreshold: 0
triggerOperator: gt
version: 1.0.0
queryPeriod: 1h
id: 9281b7cc-8f05-45a9-bf10-17fb29492a84