Techniques
Sample rules
Use of Setres.exe
- source: sigma
- technicques:
- t1202
- t1218
Description
Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named “choice” (with any executable extension such as “.cmd” or “.exe”) from the current execution path
Detection logic
condition: selection
selection:
Image|endswith: \choice
ParentImage|endswith: \setres.exe