Suspicious RunAs-Like Flag Combination
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
Sigma rule (View on GitHub)
1title: Suspicious RunAs-Like Flag Combination
2id: 50d66fb0-03f8-4da0-8add-84e77d12a020
3status: test
4description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
5references:
6 - https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
7author: Florian Roth (Nextron Systems)
8date: 2022-11-11
9tags:
10 - attack.privilege-escalation
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection_user:
16 CommandLine|contains:
17 - ' -u system '
18 - ' --user system '
19 - ' -u NT'
20 - ' -u "NT'
21 - " -u 'NT"
22 - ' --system '
23 - ' -u administrator '
24 selection_command:
25 CommandLine|contains:
26 - ' -c cmd'
27 - ' -c "cmd'
28 - ' -c powershell'
29 - ' -c "powershell'
30 - ' --command cmd'
31 - ' --command powershell'
32 - ' -c whoami'
33 - ' -c wscript'
34 - ' -c cscript'
35 condition: all of selection*
36falsepositives:
37 - Unknown
38level: medium
References
-
We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.
Read More
Related rules
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU
- APT PRIVATELOG Image Load Pattern
- AWS Attached Malicious Lambda Layer
- AWS Glue Development Endpoint Activity