Another good rule template is called the Kill Suspicious Process
Requirement for this rule: Group policy enabling process tracking. (Caution: process tracking can be very chatty, not all environments can handle it)
Default Rule
Correlations
ProcessStart.ImageFile = *.*.*
AND
ProcessStart.ImageFile NOT CONTAINED IN UserDefinedGroup (Safe Processes)
Action
Kill Process By Name
The key to this rule is to identify all safe processes on your network.
The default User Defined Group contains a bunch of common processes, but not all.
Hint:
Create a rule to capture all your processes so you can decide what is safe in your environment.
Then a second rule to block anything not deemed safe
Rule# 1
Requirement – clone the default Safe Processes user defined group – make it your own
Correlations
ProcessStart.ImageFile = *.*.*
Action
Add User-Defined group Element
User Defined Group = Your version of Safe Processes UDG
Value = ProcessStart.ImageFile
Let this run for a few days to get a good record of your environment, then turn it off.
Review the UDG to determine what you consider safe, delete anything not considered safe from the UDG
Now start rule #2
Correlations
ProcessStart.ImageFile = *.*.*
AND
ProcessStart.ImageFile NOT CONTAINED IN UserDefinedGroup (Your Safe Processes UDG)
Action
Kill Process By Name