Detection Title
Detection Template
Query
// Paste your query here
DeviceProcessEvents
| where FileName == "Example.File"About this query
Detection Title
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1134.002 | Access Token Manipulation: Create Process with Token | https://attack.mitre.org/techniques/T1134/002/ |
Description
Description of the detection rule.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Risk
Explain what risk this detection tries to cover
Author <Optional>
- Name:
- Github:
- Twitter:
- LinkedIn:
- Website:
References
Defender XDR
Sentinel
// Paste your query here
DeviceProcessEvents
| where FileName == "Example.File"
Explanation
This query is designed to detect a specific security threat related to the manipulation of access tokens, specifically the creation of a process using a manipulated token. This technique is identified by the MITRE ATT&CK framework as T1134.002. The query focuses on monitoring events where a process is executed with a particular file name, "Example.File," which could indicate suspicious activity. The goal is to identify potential unauthorized access or privilege escalation attempts by observing these process creation events. The query can be used in both Defender XDR and Sentinel environments to enhance security monitoring and threat detection.
