Suspicious GrpConv Execution
Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
Sigma rule (View on GitHub)
1title: Suspicious GrpConv Execution
2id: f14e169e-9978-4c69-acb3-1cff8200bc36
3status: test
4description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
5references:
6 - https://twitter.com/0gtweet/status/1526833181831200770
7author: Florian Roth (Nextron Systems)
8date: 2022/05/19
9tags:
10 - attack.persistence
11 - attack.t1547
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine|contains:
18 - 'grpconv.exe -o'
19 - 'grpconv -o'
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
References
Related rules
- Registry Persistence Mechanisms in Recycle Bin
- Suspicious Fsutil Execution Allowing Remote Connections
- Suspicious Driver Install by pnputil.exe
- WINEKEY Registry Modification
- Abuse of Service Permissions to Hide Services Via Set-Service