Execution via stordiag.exe

 1title: Execution via stordiag.exe
 2id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34
 3status: test
 4description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
 5references:
 6    - https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
 7    - https://twitter.com/eral4m/status/1451112385041911809
 8author: Austin Songer (@austinsonger)
 9date: 2021/10/21
10modified: 2022/12/25
11tags:
12    - attack.defense_evasion
13    - attack.t1218
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        ParentImage|endswith: '\stordiag.exe'
20        Image|endswith:
21            - '\schtasks.exe'
22            - '\systeminfo.exe'
23            - '\fltmc.exe'
24    filter:
25        ParentImage|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder"
26            - 'c:\windows\system32\'
27            - 'c:\windows\syswow64\'
28    condition: selection and not filter
29falsepositives:
30    - Legitimate usage of stordiag.exe.
31level: high

References

• stordiag.exe |

  What is stordiag.exe?

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• Devtoolslauncher.exe Executes Specified Binary
• InfDefaultInstall.exe .inf Execution
• Proxy Execution Via Explorer.exe
• Abusing Print Executable
• MpiExec Lolbin