Techniques
Sample rules
Execution via WorkFolders.exe
- source: sigma
- technicques:
- t1218
Description
Detects using WorkFolders.exe to execute an arbitrary control.exe
Detection logic
condition: selection and not filter
filter:
Image: C:\Windows\System32\control.exe
selection:
Image|endswith: \control.exe
ParentImage|endswith: \WorkFolders.exe