Renamed Vmnat.exe Execution

Aug 12, 2024 · attack.defense-evasion attack.t1574.002 ·

Detects renamed vmnat.exe or portable version that can be used for DLL side-loading

Sigma rule (View on GitHub)

 1title: Renamed Vmnat.exe Execution
 2id: 7b4f794b-590a-4ad4-ba18-7964a2832205
 3status: test
 4description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
 5references:
 6    - https://twitter.com/malmoeb/status/1525901219247845376
 7author: elhoim
 8date: 2022-09-09
 9modified: 2023-02-03
10tags:
11    - attack.defense-evasion
12    - attack.t1574.002
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        OriginalFileName: 'vmnat.exe'
19    filter_rename:
20        Image|endswith: 'vmnat.exe'
21    condition: selection and not 1 of filter_*
22falsepositives:
23    - Unknown
24level: high

References

x.com

Read More

Related rules

APT27 - Emissary Panda Activity
Creation Of Non-Existent System DLL
DHCP Callout DLL Installation
DHCP Server Error Failed Loading the CallOut DLL
DHCP Server Loaded the CallOut DLL

Renamed Vmnat.exe Execution

Sigma rule (View on GitHub)

References

x.com

Related rules