Renamed Vmnat.exe Execution
Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
Sigma rule (View on GitHub)
1title: Renamed Vmnat.exe Execution
2id: 7b4f794b-590a-4ad4-ba18-7964a2832205
3status: test
4description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
5references:
6 - https://twitter.com/malmoeb/status/1525901219247845376
7author: elhoim
8date: 2022-09-09
9modified: 2023-02-03
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.defense-evasion
14 - attack.t1574.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 OriginalFileName: 'vmnat.exe'
21 filter_rename:
22 Image|endswith: 'vmnat.exe'
23 condition: selection and not 1 of filter_*
24falsepositives:
25 - Unknown
26level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL