Suspicious Sigverif Execution
Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution
Sigma rule (View on GitHub)
1title: Suspicious Sigverif Execution
2id: 7d4aaec2-08ed-4430-8b96-28420e030e04
3status: test
4description: Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution
5references:
6 - https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
7 - https://twitter.com/0gtweet/status/1457676633809330184
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/08/19
10tags:
11 - attack.defense_evasion
12 - attack.t1216
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith: '\sigverif.exe'
19 condition: selection
20falsepositives:
21 - Unknown
22level: medium
References
Related rules
- Execute Code with Pester.bat as Parent
- Suspicious CustomShellHost Execution
- SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
- UtilityFunctions.ps1 Proxy Dll
- Potential Script Proxy Execution Via CL_Mutexverifiers.ps1