Suspicious GrpConv Execution
Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
Sigma rule (View on GitHub)
1title: Suspicious GrpConv Execution
2id: f14e169e-9978-4c69-acb3-1cff8200bc36
3status: test
4description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
5references:
6 - https://twitter.com/0gtweet/status/1526833181831200770
7author: Florian Roth (Nextron Systems)
8date: 2022-05-19
9tags:
10 - attack.privilege-escalation
11 - attack.persistence
12 - attack.t1547
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains:
19 - 'grpconv.exe -o'
20 - 'grpconv -o'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Atbroker Registry Change
- Potential RipZip Attack on Startup Folder
- Registry Persistence Mechanisms in Recycle Bin
- Startup/Logon Script Added to Group Policy Object
- Suspicious Driver Install by pnputil.exe