Suspicious Process Execution

[Jack Martin]

a.      Detects abnormal execution of Windows built-in tools such as certutil, mshta, rundll32, wmic, and powershell.

b.      Value: Identifies living-off-the-land attacks.

Response: SOC alert and process investigation

in the win 10 pro agent all thing i enable but the alert was not genrated

  we ahve to match this data.win.eventdata.newProcessName C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe//data.win.eventdata.newProcessName C:\\Windows\\System32\\certutil.exe//data.win.eventdata.newProcessName C:\\Windows\\System32\\rundll32.exe we we have to gain this 

<group name="windows,process_creation,lolbins,">

  <rule id="200001" level="10">
    <if_sid>18107</if_sid>
    <field name="data.win.eventdata.newProcessName" type="pcre2">
      (?i)\\(powershell|certutil|rundll32|mshta|wmic)\.exe$
    </field>
    <description>LOLBin execution detected: $(data.win.eventdata.newProcessName)</description>
    <mitre>T1059</mitre>
  </rule>

</group>

Wazuh home
Threat Hunting
goku
200001
manager.name: vegita-VMware-Virtual-Platform
agent.id: 009
This dashboard contains sample data

The data displayed may contain sample data. Go here to configure the sample data.
No results match your search criteria

No results found
0 hits
Dec 31, 2025 @ 18:00:00.887 - Jan 1, 2026 @ 18:00:00.887
this wa sseeany one have id how to do this so please help me in this 

  

[Jack Martin]