Techniques
Sample rules
Suspicious Child Process Of Manage Engine ServiceDesk
- source: sigma
- technicques:
- t1102
Description
Detects suspicious child processes of the “Manage Engine ServiceDesk Plus” Java web service
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_net:
CommandLine|contains: ' stop'
Image|endswith:
- \net.exe
- \net1.exe
selection:
Image|endswith:
- \AppVLP.exe
- \bash.exe
- \bitsadmin.exe
- \calc.exe
- \certutil.exe
- \cscript.exe
- \curl.exe
- \forfiles.exe
- \mftrace.exe
- \mshta.exe
- \net.exe
- \net1.exe
- \notepad.exe
- \powershell.exe
- \pwsh.exe
- \query.exe
- \reg.exe
- \schtasks.exe
- \scrcons.exe
- \sh.exe
- \systeminfo.exe
- \whoami.exe
- \wmic.exe
- \wscript.exe
ParentImage|contains|all:
- \ManageEngine\ServiceDesk\
- \java.exe