How can I get notified if an unsigned executable is launched?
Article ID: 507
Category: Security
Applies to: 5.1.1.82 and later
Updated: 2024-04-23
By monitoring 4688 events from the security event log and filtering on the process file size, EventSentry can notify you if an unsigned executable (a file without a digital signature) was launched.
- Ensure that 4688 events are being logged to the event log. See the link for more information on auditing requirements.
- Create a package and assign it to the hosts where port scans should be detected, you can also use an existing event log package.
- Copy the code shown below into the clipboard.
- Click the package in EventSentry and then click the Paste button in the ribbon.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
{
"type": 0,
"active": 1,
"name": "Unsigned File Launched",
"uuid": "73263ceb-d8a8-4383-8e72-43c904471226",
"version": 14,
"order": 12,
"folder": "Suspicious Activity",
"isfolder": 0,
"applyToCollectorSideThresholds": 0,
"requireAck": 0,
"stopProcessing": 0,
"anomalyFiltering": 0,
"logs": [ "SEC" ],"severities": [ "AUDITSUCCESS" ],
"source": "Microsoft-Windows-Security-Auditing",
"eventid": "4688",
"chainType": 1,
"textfilters": [ { "insertionString": 5,
"comparisonType": 0,
"text": "!C:\\Windows\\Temp\\*\\DismHost.exe",
"type": 1
}],"threshold": {
"type": 0,
"limit": 0,
"interval": 0,
"intervalScale": 0,
"processBefore": 0,
"processAfter": 0,
"processAfterFirstOnly": 0,
"logImmediate": 0,
"logInterval": 0,
"logSeverity": 2,
"matchType": 1
},"timer": {
"enable": 0,
"interval": 0,
"intervalScale": 0
},"bootBehavior": 0
}
|
