Sysmon – Find Processes with Renamed Executables

jwalzer
You already voted!

index=* sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=1 | rex field=Image "[\\\/](?<filename>[^\\\/]*)$" | eval filename=lower(filename)| stats dc(filename) as NumFilenames values(filename) as Filenames values(Image) as Images by Hashes | where NumFilenames>1

Share This:

Tagged: sysmon

Leave A Comment? Click here to cancel reply.

Newest | Active

Rituparna kar

Active 2 hours, 39 minutes ago
Iryna

Active 1 day ago
tenderpale6

Active 1 day, 7 hours ago
theproducer

Active 1 day, 12 hours ago
selljacket4

Active 1 day, 21 hours ago