Potentially Suspicious Execution Of PDQDeployRunner

calendar May 13, 2024 · attack.execution  ·
Share on: linkedin copy

Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Execution Of PDQDeployRunner
 2id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
 3related:
 4    - id: d679950c-abb7-43a6-80fb-2a480c4fc450
 5      type: similar
 6status: test
 7description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
 8references:
 9    - https://twitter.com/malmoeb/status/1550483085472432128
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/07/22
12modified: 2024/05/02
13tags:
14    - attack.execution
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_parent:
20        ParentImage|contains: '\PDQDeployRunner-'
21    selection_child:
22        # Improve this section by adding other suspicious processes, commandlines or paths
23        - Image|endswith:
24              # If you use any of the following processes legitimately comment them out
25              - '\bash.exe'
26              - '\certutil.exe'
27              - '\cmd.exe'
28              - '\csc.exe'
29              - '\cscript.exe'
30              - '\dllhost.exe'
31              - '\mshta.exe'
32              - '\msiexec.exe'
33              - '\regsvr32.exe'
34              - '\rundll32.exe'
35              - '\scriptrunner.exe'
36              - '\wmic.exe'
37              - '\wscript.exe'
38              - '\wsl.exe'
39        - Image|contains:
40              - ':\ProgramData\'
41              - ':\Users\Public\'
42              - ':\Windows\TEMP\'
43              - '\AppData\Local\Temp'
44        - CommandLine|contains:
45              - ' -decode '
46              - ' -enc '
47              - ' -encodedcommand '
48              - ' -w hidden'
49              - 'DownloadString'
50              - 'FromBase64String'
51              - 'http'
52              - 'iex '
53              - 'Invoke-'
54    condition: all of selection_*
55falsepositives:
56    - Legitimate use of the PDQDeploy tool to execute these commands
57level: medium

References

Related rules

to-top