Use of Setres.exe
Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path
Sigma rule (View on GitHub)
1title: Use of Setres.exe
2id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7
3status: test
4description: Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Setres/
7 - https://twitter.com/0gtweet/status/1583356502340870144
8 - https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html
9 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
10author: '@gott_cyber'
11date: 2022/12/11
12tags:
13 - attack.defense_evasion
14 - attack.t1218
15 - attack.t1202
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 ParentImage|endswith: '\setres.exe'
22 Image|endswith: '\choice'
23 condition: selection
24falsepositives:
25 - Legitimate usage of Setres
26level: medium
References
Related rules
- Potentially Suspicious Child Process Of VsCode
- Suspicious Child Process Of BgInfo.EXE
- Potential Binary Impersonating Sysinternals Tools
- Suspicious Cmdl32 Execution
- Uncommon Child Process Of BgInfo.EXE