Renamed Plink Execution
Detects the execution of a renamed version of the Plink binary
Sigma rule (View on GitHub)
1title: Renamed Plink Execution
2id: 1c12727d-02bf-45ff-a9f3-d49806a3cf43
3status: test
4description: Detects the execution of a renamed version of the Plink binary
5references:
6 - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
7 - https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/06/06
10modified: 2023/02/03
11tags:
12 - attack.defense_evasion
13 - attack.t1036
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 - OriginalFileName: 'Plink'
20 - CommandLine|contains|all:
21 - ' -l forward'
22 - ' -P '
23 - ' -R '
24 filter:
25 Image|endswith: '\plink.exe'
26 condition: selection and not filter
27falsepositives:
28 - Unknown
29level: high
References
-
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files o…
Read More -
Previous | Contents | Index | Next Chapter 7: Using the command-line connection tool Plink Plink (PuTTY Link) is a command-line connection tool similar to UNIX ssh. It is mostly used for automated ...
Read More
Related rules
- Execution from Suspicious Folder
- Suspicious Windows Update Agent Empty Cmdline
- Suspicious Calculator Usage
- System File Execution Location Anomaly
- Explorer Process Tree Break