DeviceCredentialDeployment Execution
Detects the execution of DeviceCredentialDeployment to hide a process from view.
Sigma rule (View on GitHub)
1title: DeviceCredentialDeployment Execution
2id: b8b1b304-a60f-4999-9a6e-c547bde03ffd
3status: test
4description: |
5 Detects the execution of DeviceCredentialDeployment to hide a process from view.
6references:
7 - https://github.com/LOLBAS-Project/LOLBAS/pull/147
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-08-19
10tags:
11 - attack.defense-evasion
12 - attack.t1218
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\DeviceCredentialDeployment.exe'
19 condition: selection
20falsepositives:
21 - Unlikely
22level: medium
References
-
New lolbin for hiding a console window (e.g. cmd.exe). First one that doesn't require PowerShell or VBS/JScript to my knowledge: DeviceCredentialDeployment.exe
Read More
Related rules
- MSDT Execution Via Answer File
- Wlrmdr.EXE Uncommon Argument Or Child Process
- Potential Devil Bait Malware Reconnaissance
- Suspicious Speech Runtime Binary Child Process
- Winrs Local Command Execution