Ps.exe Renamed SysInternals Tool
Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
Sigma rule (View on GitHub)
1title: Ps.exe Renamed SysInternals Tool
2id: 18da1007-3f26-470f-875d-f77faf1cab31
3status: test
4description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
5references:
6 - https://www.us-cert.gov/ncas/alerts/TA17-293A
7author: Florian Roth (Nextron Systems)
8date: 2017/10/22
9modified: 2023/05/02
10tags:
11 - attack.defense_evasion
12 - attack.g0035
13 - attack.t1036.003
14 - car.2013-05-009
15 - detection.emerging_threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains|all:
22 - 'ps.exe -accepteula'
23 - '-s cmd /c netstat'
24 condition: selection
25falsepositives:
26 - Renamed SysInternals tool
27level: high
References
-
Systems Affected Domain Controllers File Servers Email Servers Overview This alert has been superseded by newer information. The old alert is provided below for historical reference only. For the n...
Read More
Related rules
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity
- COLDSTEEL Persistence Service Creation
- EvilNum APT Golden Chickens Deployment Via OCX Files
- Exploit for CVE-2015-1641