Renamed Vmnat.exe Execution

Dec 1, 2023 · attack.defense_evasion attack.t1574.002 ·

Detects renamed vmnat.exe or portable version that can be used for DLL side-loading

Sigma rule (View on GitHub)

 1title: Renamed Vmnat.exe Execution
 2id: 7b4f794b-590a-4ad4-ba18-7964a2832205
 3status: test
 4description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
 5references:
 6    - https://twitter.com/malmoeb/status/1525901219247845376
 7author: elhoim
 8date: 2022/09/09
 9modified: 2023/02/03
10tags:
11    - attack.defense_evasion
12    - attack.t1574.002
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        OriginalFileName: 'vmnat.exe'
19    filter_rename:
20        Image|endswith: 'vmnat.exe'
21    condition: selection and not 1 of filter_*
22falsepositives:
23    - Unknown
24level: high

References

Something went wrong, but don’t fret — let’s give it another shot.

Read More

Related rules

Potential DLL Sideloading Via DeviceEnroller.EXE
Lazarus APT DLL Sideloading Activity
Suspicious Unsigned Thor Scanner Execution
Diamond Sleet APT DLL Sideloading Indicators
Potential Azure Browser SSO Abuse