Techniques
Sample rules
Potentially Suspicious Electron Application CommandLine
- source: sigma
- technicques:
Description
Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- --browser-subprocess-path
- --gpu-launcher
- --renderer-cmd-prefix
- --utility-cmd-prefix
selection_img:
- Image|endswith:
- \chrome.exe
- \code.exe
- \discord.exe
- \GitHubDesktop.exe
- \keybase.exe
- \msedge_proxy.exe
- \msedge.exe
- \msedgewebview2.exe
- \msteams.exe
- \slack.exe
- \Teams.exe
- OriginalFileName:
- chrome.exe
- code.exe
- discord.exe
- GitHubDesktop.exe
- keybase.exe
- msedge_proxy.exe
- msedge.exe
- msedgewebview2.exe
- msteams.exe
- slack.exe
- Teams.exe