Ps.exe Renamed SysInternals Tool
Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
Sigma rule (View on GitHub)
1title: Ps.exe Renamed SysInternals Tool
2id: 18da1007-3f26-470f-875d-f77faf1cab31
3status: test
4description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
5references:
6 - https://www.us-cert.gov/ncas/alerts/TA17-293A
7author: Florian Roth (Nextron Systems)
8date: 2017-10-22
9modified: 2023-05-02
10tags:
11 - attack.defense-evasion
12 - attack.g0035
13 - attack.t1036.003
14 - car.2013-05-009
15 - detection.emerging-threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains|all:
22 - 'ps.exe -accepteula'
23 - '-s cmd /c netstat'
24 condition: selection
25falsepositives:
26 - Renamed SysInternals tool
27level: high
References
-
Systems Affected Domain Controllers File Servers Email Servers Overview This alert has been superseded by newer information. The old alert is provided below for historical reference only. For the n...
Read More
Related rules
- Potential Defense Evasion Via Rename Of Highly Relevant Binaries
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators