Suspicious SYSTEM User Process Creation
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Sigma rule (View on GitHub)
1title: Suspicious SYSTEM User Process Creation
2id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
3status: test
4description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
5references:
6 - Internal Research
7 - https://tools.thehacker.recipes/mimikatz/modules
8author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
9date: 2021-12-20
10modified: 2024-12-01
11tags:
12 - attack.credential-access
13 - attack.defense-evasion
14 - attack.privilege-escalation
15 - attack.t1134
16 - attack.t1003
17 - attack.t1027
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 IntegrityLevel:
24 - 'System'
25 - 'S-1-16-16384'
26 User|contains: # covers many language settings
27 - 'AUTHORI'
28 - 'AUTORI'
29 selection_special:
30 - Image|endswith:
31 - '\calc.exe'
32 - '\cscript.exe'
33 - '\forfiles.exe'
34 - '\hh.exe'
35 - '\mshta.exe'
36 - '\ping.exe'
37 - '\wscript.exe'
38 - CommandLine|contains:
39 # - 'sc stop ' # stops a system service # causes FPs
40 - ' -NoP ' # Often used in malicious PowerShell commands
41 - ' -W Hidden ' # Often used in malicious PowerShell commands
42 - ' -decode ' # Used with certutil
43 - ' /decode ' # Used with certutil
44 - ' /urlcache ' # Used with certutil
45 - ' -urlcache ' # Used with certutil
46 - ' -e* JAB' # PowerShell encoded commands
47 - ' -e* SUVYI' # PowerShell encoded commands
48 - ' -e* SQBFAFgA' # PowerShell encoded commands
49 - ' -e* aWV4I' # PowerShell encoded commands
50 - ' -e* IAB' # PowerShell encoded commands
51 - ' -e* PAA' # PowerShell encoded commands
52 - ' -e* aQBlAHgA' # PowerShell encoded commands
53 - 'vssadmin delete shadows' # Ransomware
54 - 'reg SAVE HKLM' # save registry SAM - syskey extraction
55 - ' -ma ' # ProcDump
56 - 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
57 - '.downloadstring(' # PowerShell download command
58 - '.downloadfile(' # PowerShell download command
59 - ' /ticket:' # Rubeus
60 - 'dpapi::' # Mimikatz
61 - 'event::clear' # Mimikatz
62 - 'event::drop' # Mimikatz
63 - 'id::modify' # Mimikatz
64 - 'kerberos::' # Mimikatz
65 - 'lsadump::' # Mimikatz
66 - 'misc::' # Mimikatz
67 - 'privilege::' # Mimikatz
68 - 'rpc::' # Mimikatz
69 - 'sekurlsa::' # Mimikatz
70 - 'sid::' # Mimikatz
71 - 'token::' # Mimikatz
72 - 'vault::cred' # Mimikatz
73 - 'vault::list' # Mimikatz
74 - ' p::d ' # Mimikatz
75 - ';iex(' # PowerShell IEX
76 - 'MiniDump' # Process dumping method apart from procdump
77 - 'net user '
78 filter_main_ping:
79 CommandLine|contains|all:
80 - 'ping'
81 - '127.0.0.1'
82 - ' -n '
83 filter_vs:
84 Image|endswith: '\PING.EXE'
85 ParentCommandLine|contains: '\DismFoDInstall.cmd'
86 filter_config_mgr:
87 ParentImage|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
88 filter_java:
89 ParentImage|contains:
90 - ':\Program Files (x86)\Java\'
91 - ':\Program Files\Java\'
92 ParentImage|endswith: '\bin\javaws.exe'
93 Image|contains:
94 - ':\Program Files (x86)\Java\'
95 - ':\Program Files\Java\'
96 Image|endswith: '\bin\jp2launcher.exe'
97 CommandLine|contains: ' -ma '
98 condition: all of selection* and not 1 of filter_*
99falsepositives:
100 - Administrative activity
101 - Scripts and administrative tools used in the monitored environment
102 - Monitoring activity
103level: high
References
-
crypto::hash hashes a password in the main formats (NT, DCC1, DCC2, LM, MD5, SHA1, SHA2) with the username being an optional value
Read More
Related rules
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- Audit CVE Event
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures