sigmahighHunting

Renamed BrowserCore.EXE Execution

Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)

MITRE ATT&CK

credential-accessdefense-evasion

Detection Query

selection:
  OriginalFileName: BrowserCore.exe
filter_realbrowsercore:
  Image|endswith: \BrowserCore.exe
condition: selection and not 1 of filter_*

Author

Max Altgelt (Nextron Systems)

Created

2022-06-02

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://twitter.com/mariuszbit/status/1531631015139102720

Tags

attack.credential-accessattack.defense-evasionattack.t1528attack.t1036.003

Raw Content

title: Renamed BrowserCore.EXE Execution
id: 8a4519e8-e64a-40b6-ae85-ba8ad2177559
status: test
description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
references:
    - https://twitter.com/mariuszbit/status/1531631015139102720
author: Max Altgelt (Nextron Systems)
date: 2022-06-02
modified: 2023-02-03
tags:
    - attack.credential-access
    - attack.defense-evasion
    - attack.t1528
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName: BrowserCore.exe
    filter_realbrowsercore:
        Image|endswith: '\BrowserCore.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high