Suspicious SYSTEM User Process Creation
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Sigma rule (View on GitHub)
1title: Suspicious SYSTEM User Process Creation
2id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
3status: test
4description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
5references:
6 - Internal Research
7 - https://tools.thehacker.recipes/mimikatz/modules
8author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
9date: 2021-12-20
10modified: 2024-11-11
11tags:
12 - attack.credential-access
13 - attack.defense-evasion
14 - attack.privilege-escalation
15 - attack.t1134
16 - attack.t1003
17 - attack.t1027
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 IntegrityLevel: System
24 User|contains: # covers many language settings
25 - 'AUTHORI'
26 - 'AUTORI'
27 selection_special:
28 - Image|endswith:
29 - '\calc.exe'
30 - '\cscript.exe'
31 - '\forfiles.exe'
32 - '\hh.exe'
33 - '\mshta.exe'
34 - '\ping.exe'
35 - '\wscript.exe'
36 - CommandLine|contains:
37 # - 'sc stop ' # stops a system service # causes FPs
38 - ' -NoP ' # Often used in malicious PowerShell commands
39 - ' -W Hidden ' # Often used in malicious PowerShell commands
40 - ' -decode ' # Used with certutil
41 - ' /decode ' # Used with certutil
42 - ' /urlcache ' # Used with certutil
43 - ' -urlcache ' # Used with certutil
44 - ' -e* JAB' # PowerShell encoded commands
45 - ' -e* SUVYI' # PowerShell encoded commands
46 - ' -e* SQBFAFgA' # PowerShell encoded commands
47 - ' -e* aWV4I' # PowerShell encoded commands
48 - ' -e* IAB' # PowerShell encoded commands
49 - ' -e* PAA' # PowerShell encoded commands
50 - ' -e* aQBlAHgA' # PowerShell encoded commands
51 - 'vssadmin delete shadows' # Ransomware
52 - 'reg SAVE HKLM' # save registry SAM - syskey extraction
53 - ' -ma ' # ProcDump
54 - 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
55 - '.downloadstring(' # PowerShell download command
56 - '.downloadfile(' # PowerShell download command
57 - ' /ticket:' # Rubeus
58 - 'dpapi::' # Mimikatz
59 - 'event::clear' # Mimikatz
60 - 'event::drop' # Mimikatz
61 - 'id::modify' # Mimikatz
62 - 'kerberos::' # Mimikatz
63 - 'lsadump::' # Mimikatz
64 - 'misc::' # Mimikatz
65 - 'privilege::' # Mimikatz
66 - 'rpc::' # Mimikatz
67 - 'sekurlsa::' # Mimikatz
68 - 'sid::' # Mimikatz
69 - 'token::' # Mimikatz
70 - 'vault::cred' # Mimikatz
71 - 'vault::list' # Mimikatz
72 - ' p::d ' # Mimikatz
73 - ';iex(' # PowerShell IEX
74 - 'MiniDump' # Process dumping method apart from procdump
75 - 'net user '
76 filter_main_ping:
77 CommandLine|contains|all:
78 - 'ping'
79 - '127.0.0.1'
80 - ' -n '
81 filter_vs:
82 Image|endswith: '\PING.EXE'
83 ParentCommandLine|contains: '\DismFoDInstall.cmd'
84 filter_config_mgr:
85 ParentImage|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
86 filter_java:
87 ParentImage|contains:
88 - ':\Program Files (x86)\Java\'
89 - ':\Program Files\Java\'
90 ParentImage|endswith: '\bin\javaws.exe'
91 Image|contains:
92 - ':\Program Files (x86)\Java\'
93 - ':\Program Files\Java\'
94 Image|endswith: '\bin\jp2launcher.exe'
95 CommandLine|contains: ' -ma '
96 condition: all of selection* and not 1 of filter_*
97falsepositives:
98 - Administrative activity
99 - Scripts and administrative tools used in the monitored environment
100 - Monitoring activity
101level: high
References
-
crypto::hash hashes a password in the main formats (NT, DCC1, DCC2, LM, MD5, SHA1, SHA2) with the username being an optional value
Read More
Related rules
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- Audit CVE Event
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures