CyberArkEPM - Renamed Windows binary
| Id | 9281b7cc-8f05-45a9-bf10-17fb29492a84 |
| Rulename | CyberArkEPM - Renamed Windows binary |
| Description | Detects renamed windows binaries. |
| Severity | High |
| Tactics | Execution DefenseEvasion |
| Techniques | T1204 T1036 |
| Required data connectors | CyberArkEPM |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRenamedWindowsBinary.yaml |
| Version | 1.0.0 |
| Arm template | 9281b7cc-8f05-45a9-bf10-17fb29492a84.json |
CyberArkEPM
| where EventSubType != 'AttackAttempt'
| where ActingProcessName has @'\'
| where ActingProcessName !has ActingProcessFileInternalName
| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName
| extend AccountCustomEntity = ActorUsername
queryPeriod: 1h
query: |
CyberArkEPM
| where EventSubType != 'AttackAttempt'
| where ActingProcessName has @'\'
| where ActingProcessName !has ActingProcessFileInternalName
| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName
| extend AccountCustomEntity = ActorUsername
name: CyberArkEPM - Renamed Windows binary
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
entityType: Account
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRenamedWindowsBinary.yaml
requiredDataConnectors:
- connectorId: CyberArkEPM
dataTypes:
- CyberArkEPM
description: |
'Detects renamed windows binaries.'
kind: Scheduled
version: 1.0.0
queryFrequency: 1h
severity: High
relevantTechniques:
- T1204
- T1036
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
- DefenseEvasion
id: 9281b7cc-8f05-45a9-bf10-17fb29492a84