Using SettingSyncHost.exe as LOLBin
Detects using SettingSyncHost.exe to run hijacked binary
Sigma rule (View on GitHub)
1title: Using SettingSyncHost.exe as LOLBin
2id: b2ddd389-f676-4ac4-845a-e00781a48e5f
3status: test
4description: Detects using SettingSyncHost.exe to run hijacked binary
5references:
6 - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
7author: Anton Kutepov, oscd.community
8date: 2020-02-05
9modified: 2021-11-27
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.execution
14 - attack.defense-evasion
15 - attack.t1574.008
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 system_utility:
21 Image|startswith:
22 - 'C:\Windows\System32\'
23 - 'C:\Windows\SysWOW64\'
24 parent_is_settingsynchost:
25 ParentCommandLine|contains|all:
26 - 'cmd.exe /c'
27 - 'RoamDiag.cmd'
28 - '-outputpath'
29 condition: not system_utility and parent_is_settingsynchost
30fields:
31 - TargetFilename
32 - Image
33falsepositives:
34 - Unknown
35level: high
References
-
This native OS binary has two interesting options: -LoadAndRunDiagScript -LoadAndRunDiagScriptNoCab When executed with these options, it will extract the .bat file stored inside its resources, save...
Read More
Related rules
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- Control Panel Items
- Exploiting SetupComplete.cmd CVE-2019-1378