Suspicious RunAs-Like Flag Combination
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
Sigma rule (View on GitHub)
1title: Suspicious RunAs-Like Flag Combination
2id: 50d66fb0-03f8-4da0-8add-84e77d12a020
3status: test
4description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
5references:
6 - https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
7author: Florian Roth (Nextron Systems)
8date: 2022/11/11
9tags:
10 - attack.privilege_escalation
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection_user:
16 CommandLine|contains:
17 - ' -u system '
18 - ' --user system '
19 - ' -u NT'
20 - ' -u "NT'
21 - " -u 'NT"
22 - ' --system '
23 - ' -u administrator '
24 selection_command:
25 CommandLine|contains:
26 - ' -c cmd'
27 - ' -c "cmd'
28 - ' -c powershell'
29 - ' -c "powershell'
30 - ' --command cmd'
31 - ' --command powershell'
32 - ' -c whoami'
33 - ' -c wscript'
34 - ' -c cscript'
35 condition: all of selection*
36falsepositives:
37 - Unknown
38level: medium
References
-
We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Application AppID Uri Configuration Changes
- Application URI Configuration Changes