Detectionmediumtest
Potential Suspicious Activity Using SeCEdit
Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection_img:
- Image|endswith: '\secedit.exe'
- OriginalFileName: 'SeCEdit'
selection_flags_discovery:
CommandLine|contains|all:
- '/export'
- '/cfg'
selection_flags_configure:
CommandLine|contains|all:
- '/configure'
- '/db'
# filter:
# SubjectUserName|endswith: '$' SubjectUserName is from event ID 4719 in the Windows Security log
condition: selection_img and (1 of selection_flags_*)False Positives
Legitimate administrative use
MITRE ATT&CK
Tactics
Techniques
Sub-techniques
T1562.002 · Disable Windows Event LoggingT1547.001 · Registry Run Keys / Startup FolderT1505.005 · Terminal Services DLLT1556.002 · Password Filter DLLT1574.007 · Path Interception by PATH Environment VariableT1564.002 · Hidden UsersT1546.008 · Accessibility FeaturesT1546.007 · Netsh Helper DLLT1547.014 · Active SetupT1547.010 · Port MonitorsT1547.002 · Authentication Package
Rule Metadata
Rule ID
c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
Status
test
Level
medium
Type
Detection
Created
Fri Nov 18
Modified
Fri Dec 30
Author
Path
rules/windows/process_creation/proc_creation_win_secedit_execution.yml
Raw Tags
attack.collectionattack.discoveryattack.persistenceattack.defense-evasionattack.credential-accessattack.privilege-escalationattack.t1562.002attack.t1547.001attack.t1505.005attack.t1556.002attack.t1562attack.t1574.007attack.t1564.002attack.t1546.008attack.t1546.007attack.t1547.014attack.t1547.010attack.t1547.002attack.t1557attack.t1082