Execute Files with Msdeploy.exe

 1title: Execute Files with Msdeploy.exe
 2id: 646bc99f-6682-4b47-a73a-17b1b64c9d34
 3status: test
 4description: Detects file execution using the msdeploy.exe lolbin
 5references:
 6    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/
 7    - https://twitter.com/pabraeken/status/995837734379032576
 8    - https://twitter.com/pabraeken/status/999090532839313408
 9author: Beyu Denis, oscd.community
10date: 2020/10/18
11modified: 2021/11/27
12tags:
13    - attack.defense_evasion
14    - attack.t1218
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        CommandLine|contains|all:
21            - 'verb:sync'
22            - '-source:RunCommand'
23            - '-dest:runCommand'
24        Image|endswith: '\msdeploy.exe'
25    condition: selection
26fields:
27    - ComputerName
28    - User
29    - CommandLine
30    - ParentCommandLine
31falsepositives:
32    - System administrator Usage
33level: medium

References

• Msdeploy | LOLBAS

  Launch calc.bat via msdeploy.exe. msdeploy.exe -verb:sync -source:RunCommand -dest:runCommand="c:\temp\calc.bat" Use caseLocal execution of batch file using msdeploy.exe. Privileges requiredUser Op...

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• MSI Installation From Web
• Malicious Windows Script Components File Execution by TAEF Detection
• Potential Password Spraying Attempt Using Dsacls.EXE
• Potentially Over Permissive Permissions Granted Using Dsacls.EXE
• Potentially Suspicious Child Process Of DiskShadow.EXE