PUA - RunXCmd Execution

calendar Feb 14, 2023 · attack.execution attack.t1569.002 attack.s0029  ·
Share on: linkedin copy

Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts

Sigma rule (View on GitHub)

 1title: PUA - RunXCmd Execution
 2id: 93199800-b52a-4dec-b762-75212c196542
 3status: test
 4description: Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
 5references:
 6    - https://www.d7xtech.com/free-software/runx/
 7    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
 8author: Florian Roth (Nextron Systems)
 9date: 2022/01/24
10modified: 2023/02/14
11tags:
12    - attack.execution
13    - attack.t1569.002
14    - attack.s0029
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_account:
20        CommandLine|contains:
21            - ' /account=system '
22            - ' /account=ti '
23    selection_exec:
24        CommandLine|contains: '/exec='
25    condition: all of selection_*
26fields:
27    - CommandLine
28    - ParentCommandLine
29falsepositives:
30    - Legitimate use by administrators
31level: high

References

  • RunX

    Current version:  1.0.0.1  Released May 19th, 2021 (fixed a bug with launching processes in general d7x code as explained here.) RunX is designed to easily launch any process with System account or…


    Read More

  • How to Run a Program as SYSTEM (LocalSystem) Account in Windows

    Many Windows system files, registry keys, and services are owned by the (a.k.a LocalSystem) account, which has a high privilege level. If you need to modify a registry key owned by the account…


    Read More

Related rules

to-top