Renamed Plink Execution
Detects the execution of a renamed version of the Plink binary
Sigma rule (View on GitHub)
1title: Renamed Plink Execution
2id: 1c12727d-02bf-45ff-a9f3-d49806a3cf43
3status: test
4description: Detects the execution of a renamed version of the Plink binary
5references:
6 - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
7 - https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-06-06
10modified: 2023-02-03
11tags:
12 - attack.defense-evasion
13 - attack.t1036
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 - OriginalFileName: 'Plink'
20 - CommandLine|contains|all:
21 - ' -l forward'
22 - ' -P '
23 - ' -R '
24 filter:
25 Image|endswith: '\plink.exe'
26 condition: selection and not filter
27falsepositives:
28 - Unknown
29level: high
References
Related rules
- CreateDump Process Dump
- DumpMinitool Execution
- Explorer Process Tree Break
- Findstr Launching .lnk File
- HackTool - XORDump Execution