PUA - NirCmd Execution As LOCAL SYSTEM
Detects the use of NirCmd tool for command execution as SYSTEM user
Sigma rule (View on GitHub)
1title: PUA - NirCmd Execution As LOCAL SYSTEM
2id: d9047477-0359-48c9-b8c7-792cedcdc9c4
3status: test
4description: Detects the use of NirCmd tool for command execution as SYSTEM user
5references:
6 - https://www.nirsoft.net/utils/nircmd.html
7 - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
8 - https://www.nirsoft.net/utils/nircmd2.html#using
9author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
10date: 2022-01-24
11modified: 2023-02-13
12tags:
13 - attack.execution
14 - attack.t1569.002
15 - attack.s0029
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains: ' runassystem '
22 condition: selection
23fields:
24 - CommandLine
25 - ParentCommandLine
26falsepositives:
27 - Legitimate use by administrators
28level: high
References
-
NirCmd is a small utility that allows you to do many useful tasks from command-line, without displaying any user interface: change your display settings, turn off your monitor, open the door of your CD-ROM drive, and more...
Read More -
Many Windows system files, registry keys, and services are owned by the (a.k.a LocalSystem) account, which has a high privilege level. If you need to modify a registry key owned by the account…
Read More -
NirCmd v2.86 Copyright (c) 2003 - 2019 Nir Sofer Description NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any user interface. By running NirCm...
Read More
Related rules
- CSExec Service File Creation
- HackTool Service Registration or Execution
- PUA - NSudo Execution
- PUA - NirCmd Execution
- PUA - RunXCmd Execution