CyberArkEPM - Renamed Windows binary
| Id | 9281b7cc-8f05-45a9-bf10-17fb29492a84 |
| Rulename | CyberArkEPM - Renamed Windows binary |
| Description | Detects renamed windows binaries. |
| Severity | High |
| Tactics | Execution DefenseEvasion |
| Techniques | T1204 T1036 |
| Required data connectors | CyberArkEPM |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRenamedWindowsBinary.yaml |
| Version | 1.0.0 |
| Arm template | 9281b7cc-8f05-45a9-bf10-17fb29492a84.json |
CyberArkEPM
| where EventSubType != 'AttackAttempt'
| where ActingProcessName has @'\'
| where ActingProcessName !has ActingProcessFileInternalName
| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName
| extend AccountCustomEntity = ActorUsername
id: 9281b7cc-8f05-45a9-bf10-17fb29492a84
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
entityType: Account
description: |
'Detects renamed windows binaries.'
version: 1.0.0
query: |
CyberArkEPM
| where EventSubType != 'AttackAttempt'
| where ActingProcessName has @'\'
| where ActingProcessName !has ActingProcessFileInternalName
| project EventEndTime, EventMessage, ActorUsername, ActingProcessFileInternalName
| extend AccountCustomEntity = ActorUsername
relevantTechniques:
- T1204
- T1036
queryPeriod: 1h
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRenamedWindowsBinary.yaml
kind: Scheduled
tactics:
- Execution
- DefenseEvasion
severity: High
triggerThreshold: 0
requiredDataConnectors:
- connectorId: CyberArkEPM
dataTypes:
- CyberArkEPM
name: CyberArkEPM - Renamed Windows binary
triggerOperator: gt