Suspicious Execution Of PDQDeployRunner
Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
Sigma rule (View on GitHub)
1title: Suspicious Execution Of PDQDeployRunner
2id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
3related:
4 - id: d679950c-abb7-43a6-80fb-2a480c4fc450
5 type: similar
6status: test
7description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
8references:
9 - https://twitter.com/malmoeb/status/1550483085472432128
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/07/22
12tags:
13 - attack.execution
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_parent:
19 ParentImage|contains: 'PDQDeployRunner-'
20 selection_susp:
21 # Improve this section by adding other suspicious processes, commandlines or paths
22 - Image|endswith:
23 # If you use any of the following processes legitimately comment them out
24 - '\wscript.exe'
25 - '\cscript.exe'
26 - '\rundll32.exe'
27 - '\regsvr32.exe'
28 - '\wmic.exe'
29 - '\msiexec.exe'
30 - '\mshta.exe'
31 - '\csc.exe'
32 - '\dllhost.exe'
33 - '\certutil.exe'
34 - '\scriptrunner.exe'
35 - '\bash.exe'
36 - '\wsl.exe'
37 - Image|contains:
38 - 'C:\Users\Public\'
39 - 'C:\ProgramData\'
40 - 'C:\Windows\TEMP\'
41 - '\AppData\Local\Temp'
42 - CommandLine|contains:
43 - 'iex '
44 - 'Invoke-'
45 - 'DownloadString'
46 - 'http'
47 - ' -enc '
48 - ' -encodedcommand '
49 - 'FromBase64String'
50 - ' -decode '
51 - ' -w hidden'
52 condition: all of selection_*
53falsepositives:
54 - Legitimate use of the PDQDeploy tool to execute these commands
55level: medium
References
Related rules
- Abusable DLL Potential Sideloading From Suspicious Location
- Adwind RAT / JRAT
- Adwind RAT / JRAT File Artifact
- Antivirus Hacktool Detection
- Azure Kubernetes CronJob