Execution via stordiag.exe
Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
Sigma rule (View on GitHub)
1title: Execution via stordiag.exe
2id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34
3status: test
4description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
5references:
6 - https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
7 - https://twitter.com/eral4m/status/1451112385041911809
8author: Austin Songer (@austinsonger)
9date: 2021-10-21
10modified: 2022-12-25
11tags:
12 - attack.defense-evasion
13 - attack.t1218
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\stordiag.exe'
20 Image|endswith:
21 - '\schtasks.exe'
22 - '\systeminfo.exe'
23 - '\fltmc.exe'
24 filter:
25 ParentImage|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder"
26 - 'c:\windows\system32\'
27 - 'c:\windows\syswow64\'
28 condition: selection and not filter
29falsepositives:
30 - Legitimate usage of stordiag.exe.
31level: high
References
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE