Ps.exe Renamed SysInternals Tool
Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
Sigma rule (View on GitHub)
1title: Ps.exe Renamed SysInternals Tool
2id: 18da1007-3f26-470f-875d-f77faf1cab31
3status: test
4description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
5references:
6 - https://www.us-cert.gov/ncas/alerts/TA17-293A
7author: Florian Roth (Nextron Systems)
8date: 2017-10-22
9modified: 2023-05-02
10tags:
11 - attack.defense-evasion
12 - attack.g0035
13 - attack.t1036.003
14 - car.2013-05-009
15 - detection.emerging-threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains|all:
22 - 'ps.exe -accepteula'
23 - '-s cmd /c netstat'
24 condition: selection
25falsepositives:
26 - Renamed SysInternals tool
27level: high
References
Related rules
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators
- COLDSTEEL Persistence Service Creation