Ps.exe Renamed SysInternals Tool
Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
Sigma rule (View on GitHub)
1title: Ps.exe Renamed SysInternals Tool
2id: 18da1007-3f26-470f-875d-f77faf1cab31
3status: test
4description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
5references:
6 - https://www.us-cert.gov/ncas/alerts/TA17-293A
7author: Florian Roth (Nextron Systems)
8date: 2017/10/22
9modified: 2023/05/02
10tags:
11 - attack.defense_evasion
12 - attack.g0035
13 - attack.t1036.003
14 - car.2013-05-009
15 - detection.emerging_threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains|all:
22 - 'ps.exe -accepteula'
23 - '-s cmd /c netstat'
24 condition: selection
25falsepositives:
26 - Renamed SysInternals tool
27level: high
References
Related rules
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity
- COLDSTEEL Persistence Service Creation
- EvilNum APT Golden Chickens Deployment Via OCX Files
- Exploit for CVE-2015-1641