Suspicious Command Arguments from Explorer or Wermgr
Detects the suspicious command line arguments from potentially-injected versions of explorer or wermgr processes.
Sigma rule (View on GitHub)
1title: Suspicious Command Arguments from Explorer or Wermgr
2id: ebda47a5-173e-493d-93a6-d7123076ee11
3status: experimental
4description: Detects the suspicious command line arguments from potentially-injected versions of explorer or wermgr processes.
5references:
6 - https://www.trellix.com/en-us/about/newsroom/stories/research/demystifying-qbot-malware.html
7author: Adithya Chandra and Sushant Kumar Arya, Trellix
8date: 2022/04/08
9tags:
10 - attack.discovery
11 - attack.t1082
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith:
18 - '\explorer.exe'
19 - '\wermgr.exe'
20 CommandLine|contains|windash:
21 - 'whoami /all'
22 - 'arp -a'
23 - 'ipconfig /all'
24 - 'net view /all'
25 - 'cmd /c set'
26 - 'nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs'
27 - 'nltest /domain_trusts /all_trusts'
28 - 'net share'
29 - 'netstat -nao'
30 - 'net localgroup'
31 - 'qwinsta'
32 condition: selection
33falsepositives:
34 - Unknown
35level: high```
References
Related rules
- Reconnaissance Activity Using BuiltIn Commands
- Driverquery Lookup
- SocGholish NLTest Domain Trust Enumeration (RedCanary Threat Detection Report)
- SocGholish Script File Whoami Output to File (RedCanary Threat Detection Report)
- Account Enumeration on AWS