Detection rules › Kusto Query Language
Malware in the recycle bin (Normalized Process Events)
'Identifies malware that has been hidden in the recycle bin. To use this analytics rule, make sure you have deployed the ASIM normalization parsers'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1564 Hide Artifacts |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Sysmon | 5 | Process terminated |
| Security-Auditing | 4688 | A new process has been created. |
| Security-Auditing | 4689 | A process has exited. |
Stages and Predicates
Stage 1: source
imProcessCreate
Stage 2: where
CommandLine match "recycler"
Stage 3: where
Process match "procList"
Stage 4: extend
Stage 5: where
FileName eq "procList"
Stage 6: project
Stage 7: extend
Stage 8: extend
Stage 9: extend
Stage 10: project-away
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
FileName | in |
|
Process | match |
|