title: Taskmgr as LOCAL_SYSTEM
author: Florian Roth
date: 2018/03/18
description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    User:
    - NT AUTHORITY\SYSTEM*
    - AUTORITE NT\Sys*
  SELECTION_3:
    Image: '*\taskmgr.exe'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 9fff585c-c33e-4a86-b3cd-39312079a65f
level: high
logsource:
  category: process_creation
  product: windows
modified: 2021/08/26
status: experimental
tags:
- attack.defense_evasion
- attack.t1036
ruletype: SIGMA