Using SettingSyncHost.exe as LOLBin
Detects using SettingSyncHost.exe to run hijacked binary
Sigma rule (View on GitHub)
1title: Using SettingSyncHost.exe as LOLBin
2id: b2ddd389-f676-4ac4-845a-e00781a48e5f
3status: test
4description: Detects using SettingSyncHost.exe to run hijacked binary
5references:
6 - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
7author: Anton Kutepov, oscd.community
8date: 2020-02-05
9modified: 2021-11-27
10tags:
11 - attack.execution
12 - attack.defense-evasion
13 - attack.t1574.008
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 system_utility:
19 Image|startswith:
20 - 'C:\Windows\System32\'
21 - 'C:\Windows\SysWOW64\'
22 parent_is_settingsynchost:
23 ParentCommandLine|contains|all:
24 - 'cmd.exe /c'
25 - 'RoamDiag.cmd'
26 - '-outputpath'
27 condition: not system_utility and parent_is_settingsynchost
28fields:
29 - TargetFilename
30 - Image
31falsepositives:
32 - Unknown
33level: high
References
-
This native OS binary has two interesting options: -LoadAndRunDiagScript -LoadAndRunDiagScriptNoCab When executed with these options, it will extract the .bat file stored inside its resources, save...
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Arbitrary File Download Via MSOHTMED.EXE