PUA - AdvancedRun Suspicious Execution

calendar Jan 1, 2024 · attack.defense_evasion attack.privilege_escalation attack.t1134.002  ·
Share on: linkedin copy

Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts

Sigma rule (View on GitHub)

 1title: PUA - AdvancedRun Suspicious Execution
 2id: fa00b701-44c6-4679-994d-5a18afa8a707
 3related:
 4    - id: d2b749ee-4225-417e-b20e-a8d2193cbb84
 5      type: similar
 6status: test
 7description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
 8references:
 9    - https://twitter.com/splinter_code/status/1483815103279603714
10    - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
11    - https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/
12    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
13author: Florian Roth (Nextron Systems)
14date: 2022/01/20
15modified: 2023/02/21
16tags:
17    - attack.defense_evasion
18    - attack.privilege_escalation
19    - attack.t1134.002
20logsource:
21    product: windows
22    category: process_creation
23detection:
24    selection:
25        CommandLine|contains:
26            - '/EXEFilename'
27            - '/CommandLine'
28    selection_runas:
29        - CommandLine|contains:
30              - ' /RunAs 8 '
31              - ' /RunAs 4 '
32              - ' /RunAs 10 '
33              - ' /RunAs 11 '
34        - CommandLine|endswith:
35              - '/RunAs 8'
36              - '/RunAs 4'
37              - '/RunAs 10'
38              - '/RunAs 11'
39    condition: all of selection*
40falsepositives:
41    - Unknown
42level: high

References

Related rules

to-top