Uncommon Sigverif.EXE Child Process
Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.
Sigma rule (View on GitHub)
1title: Uncommon Sigverif.EXE Child Process
2id: 7d4aaec2-08ed-4430-8b96-28420e030e04
3status: test
4description: |
5 Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.
6references:
7 - https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
8 - https://twitter.com/0gtweet/status/1457676633809330184
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-08-19
11modified: 2024-08-27
12tags:
13 - attack.defense-evasion
14 - attack.t1216
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|endswith: '\sigverif.exe'
21 filter_main_werfault:
22 Image:
23 - 'C:\Windows\System32\WerFault.exe'
24 - 'C:\Windows\SysWOW64\WerFault.exe'
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - Unknown
28level: medium
References
-
File Signature Verification has nothing to do with launching arbitrary applications, but it is just a similar case to odbcad32.exe – the GUI apps can sometimes be abused to produce undesired effect...
Read More
Related rules
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
- Assembly Loading Via CL_LoadAssembly.ps1
- Execute Code with Pester.bat
- Execute Code with Pester.bat as Parent