PUA - RunXCmd Execution

Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts

Sigma rule (View on GitHub)

 1title: PUA - RunXCmd Execution
 2id: 93199800-b52a-4dec-b762-75212c196542
 3status: test
 4description: Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
 5references:
 6    - https://www.d7xtech.com/free-software/runx/
 7    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
 8author: Florian Roth (Nextron Systems)
 9date: 2022-01-24
10modified: 2023-02-14
11tags:
12    - attack.execution
13    - attack.t1569.002
14    - attack.s0029
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_account:
20        CommandLine|contains:
21            - ' /account=system '
22            - ' /account=ti '
23    selection_exec:
24        CommandLine|contains: '/exec='
25    condition: all of selection_*
26fields:
27    - CommandLine
28    - ParentCommandLine
29falsepositives:
30    - Legitimate use by administrators
31level: high

References

Related rules

to-top