Suspicious SYSTEM User Process Creation
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Sigma rule (View on GitHub)
1title: Suspicious SYSTEM User Process Creation
2id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
3status: test
4description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
5references:
6 - Internal Research
7 - https://tools.thehacker.recipes/mimikatz/modules
8author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
9date: 2021/12/20
10modified: 2023/01/19
11tags:
12 - attack.credential_access
13 - attack.defense_evasion
14 - attack.privilege_escalation
15 - attack.t1134
16 - attack.t1003
17 - attack.t1027
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 IntegrityLevel: System
24 User|contains: # covers many language settings
25 - 'AUTHORI'
26 - 'AUTORI'
27 selection_special:
28 - Image|endswith:
29 - '\calc.exe'
30 - '\wscript.exe'
31 - '\cscript.exe'
32 - '\hh.exe'
33 - '\mshta.exe'
34 - '\forfiles.exe'
35 - '\ping.exe'
36 - CommandLine|contains:
37 # - 'sc stop ' # stops a system service # causes FPs
38 - ' -NoP ' # Often used in malicious PowerShell commands
39 - ' -W Hidden ' # Often used in malicious PowerShell commands
40 - ' -decode ' # Used with certutil
41 - ' /decode ' # Used with certutil
42 - ' /urlcache ' # Used with certutil
43 - ' -urlcache ' # Used with certutil
44 - ' -e* JAB' # PowerShell encoded commands
45 - ' -e* SUVYI' # PowerShell encoded commands
46 - ' -e* SQBFAFgA' # PowerShell encoded commands
47 - ' -e* aWV4I' # PowerShell encoded commands
48 - ' -e* IAB' # PowerShell encoded commands
49 - ' -e* PAA' # PowerShell encoded commands
50 - ' -e* aQBlAHgA' # PowerShell encoded commands
51 - 'vssadmin delete shadows' # Ransomware
52 - 'reg SAVE HKLM' # save registry SAM - syskey extraction
53 - ' -ma ' # ProcDump
54 - 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
55 - '.downloadstring(' # PowerShell download command
56 - '.downloadfile(' # PowerShell download command
57 - ' /ticket:' # Rubeus
58 - 'dpapi::' #Mimikatz
59 - 'event::clear' #Mimikatz
60 - 'event::drop' #Mimikatz
61 - 'id::modify' #Mimikatz
62 - 'kerberos::' #Mimikatz
63 - 'lsadump::' #Mimikatz
64 - 'misc::' #Mimikatz
65 - 'privilege::' #Mimikatz
66 - 'rpc::' #Mimikatz
67 - 'sekurlsa::' #Mimikatz
68 - 'sid::' #Mimikatz
69 - 'token::' #Mimikatz
70 - 'vault::cred' #Mimikatz
71 - 'vault::list' #Mimikatz
72 - ' p::d ' # Mimikatz
73 - ';iex(' # PowerShell IEX
74 - 'MiniDump' # Process dumping method apart from procdump
75 - 'net user '
76 filter_ping:
77 CommandLine: 'ping 127.0.0.1 -n 5'
78 filter_vs:
79 Image|endswith: '\PING.EXE'
80 ParentCommandLine|contains: '\DismFoDInstall.cmd'
81 filter_config_mgr:
82 ParentImage|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
83 filter_java:
84 ParentImage|startswith: 'C:\Program Files (x86)\Java\'
85 ParentImage|endswith: '\bin\javaws.exe'
86 Image|startswith: 'C:\Program Files (x86)\Java\'
87 Image|endswith: '\bin\jp2launcher.exe'
88 CommandLine|contains: ' -ma '
89 condition: all of selection* and not 1 of filter_*
90falsepositives:
91 - Administrative activity
92 - Scripts and administrative tools used in the monitored environment
93 - Monitoring activity
94level: high
References
Related rules
- Audit CVE Event
- Potential Suspicious Activity Using SeCEdit
- Cisco BGP Authentication Failures
- Huawei BGP Authentication Failures
- Juniper BGP Missing MD5