Execute Files with Msdeploy.exe
Detects file execution using the msdeploy.exe lolbin
Sigma rule (View on GitHub)
1title: Execute Files with Msdeploy.exe
2id: 646bc99f-6682-4b47-a73a-17b1b64c9d34
3status: test
4description: Detects file execution using the msdeploy.exe lolbin
5references:
6 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/
7 - https://twitter.com/pabraeken/status/995837734379032576
8 - https://twitter.com/pabraeken/status/999090532839313408
9author: Beyu Denis, oscd.community
10date: 2020-10-18
11modified: 2021-11-27
12tags:
13 - attack.defense-evasion
14 - attack.t1218
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 CommandLine|contains|all:
21 - 'verb:sync'
22 - '-source:RunCommand'
23 - '-dest:runCommand'
24 Image|endswith: '\msdeploy.exe'
25 condition: selection
26fields:
27 - ComputerName
28 - User
29 - CommandLine
30 - ParentCommandLine
31falsepositives:
32 - System administrator Usage
33level: medium
References
-
Msdeploy.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE