Using SettingSyncHost.exe as LOLBin

Detects using SettingSyncHost.exe to run hijacked binary

Sigma rule (View on GitHub)

 1title: Using SettingSyncHost.exe as LOLBin
 2id: b2ddd389-f676-4ac4-845a-e00781a48e5f
 3status: test
 4description: Detects using SettingSyncHost.exe to run hijacked binary
 5references:
 6    - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
 7author: Anton Kutepov, oscd.community
 8date: 2020/02/05
 9modified: 2021/11/27
10tags:
11    - attack.execution
12    - attack.defense_evasion
13    - attack.t1574.008
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    system_utility:
19        Image|startswith:
20            - 'C:\Windows\System32\'
21            - 'C:\Windows\SysWOW64\'
22    parent_is_settingsynchost:
23        ParentCommandLine|contains|all:
24            - 'cmd.exe /c'
25            - 'RoamDiag.cmd'
26            - '-outputpath'
27    condition: not system_utility and parent_is_settingsynchost
28fields:
29    - TargetFilename
30    - Image
31falsepositives:
32    - Unknown
33level: high

References

Related rules

to-top