Techniques
Sample rules
Process Monitor Driver Creation By Non-Sysinternals Binary
- source: sigma
- technicques:
- t1068
Description
Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_process_explorer:
Image|endswith:
- \procmon.exe
- \procmon64.exe
selection:
TargetFilename|contains: \procmon
TargetFilename|endswith: .sys