LoFP / legitimate usage of stordiag.exe.

Techniques

t1218

Sample rules

Execution via stordiag.exe

source: sigma
technicques:
- t1218

Description

Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe

Detection logic

condition: selection and not filter
filter:
  ParentImage|startswith:
  - c:\windows\system32\
  - c:\windows\syswow64\
selection:
  Image|endswith:
  - \schtasks.exe
  - \systeminfo.exe
  - \fltmc.exe
  ParentImage|endswith: \stordiag.exe