Suspicious SYSTEM User Process Creation

Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)

Sigma rule (View on GitHub)

 1title: Suspicious SYSTEM User Process Creation
 2id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
 3status: test
 4description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
 5references:
 6    - Internal Research
 7    - https://tools.thehacker.recipes/mimikatz/modules
 8author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
 9date: 2021/12/20
10modified: 2023/01/19
11tags:
12    - attack.credential_access
13    - attack.defense_evasion
14    - attack.privilege_escalation
15    - attack.t1134
16    - attack.t1003
17    - attack.t1027
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        IntegrityLevel: System
24        User|contains: # covers many language settings
25            - 'AUTHORI'
26            - 'AUTORI'
27    selection_special:
28        - Image|endswith:
29            - '\calc.exe'
30            - '\wscript.exe'
31            - '\cscript.exe'
32            - '\hh.exe'
33            - '\mshta.exe'
34            - '\forfiles.exe'
35            - '\ping.exe'
36        - CommandLine|contains:
37            # - 'sc stop ' # stops a system service # causes FPs
38            - ' -NoP '  # Often used in malicious PowerShell commands
39            - ' -W Hidden '  # Often used in malicious PowerShell commands
40            - ' -decode '  # Used with certutil
41            - ' /decode '  # Used with certutil
42            - ' /urlcache '  # Used with certutil
43            - ' -urlcache '  # Used with certutil
44            - ' -e* JAB'  # PowerShell encoded commands
45            - ' -e* SUVYI'  # PowerShell encoded commands
46            - ' -e* SQBFAFgA'  # PowerShell encoded commands
47            - ' -e* aWV4I'  # PowerShell encoded commands
48            - ' -e* IAB'  # PowerShell encoded commands
49            - ' -e* PAA'  # PowerShell encoded commands
50            - ' -e* aQBlAHgA'  # PowerShell encoded commands
51            - 'vssadmin delete shadows'  # Ransomware
52            - 'reg SAVE HKLM'  # save registry SAM - syskey extraction
53            - ' -ma '  # ProcDump
54            - 'Microsoft\Windows\CurrentVersion\Run'  # Run key in command line - often in combination with REG ADD
55            - '.downloadstring('  # PowerShell download command
56            - '.downloadfile('  # PowerShell download command
57            - ' /ticket:'  # Rubeus
58            - 'dpapi::'     #Mimikatz
59            - 'event::clear'        #Mimikatz
60            - 'event::drop'     #Mimikatz
61            - 'id::modify'      #Mimikatz
62            - 'kerberos::'       #Mimikatz
63            - 'lsadump::'      #Mimikatz
64            - 'misc::'     #Mimikatz
65            - 'privilege::'       #Mimikatz
66            - 'rpc::'      #Mimikatz
67            - 'sekurlsa::'       #Mimikatz
68            - 'sid::'        #Mimikatz
69            - 'token::'      #Mimikatz
70            - 'vault::cred'     #Mimikatz
71            - 'vault::list'     #Mimikatz
72            - ' p::d '  # Mimikatz
73            - ';iex('  # PowerShell IEX
74            - 'MiniDump'  # Process dumping method apart from procdump
75            - 'net user '
76    filter_ping:
77        CommandLine: 'ping 127.0.0.1 -n 5'
78    filter_vs:
79        Image|endswith: '\PING.EXE'
80        ParentCommandLine|contains: '\DismFoDInstall.cmd'
81    filter_config_mgr:
82        ParentImage|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
83    filter_java:
84        ParentImage|startswith: 'C:\Program Files (x86)\Java\'
85        ParentImage|endswith: '\bin\javaws.exe'
86        Image|startswith: 'C:\Program Files (x86)\Java\'
87        Image|endswith: '\bin\jp2launcher.exe'
88        CommandLine|contains: ' -ma '
89    condition: all of selection* and not 1 of filter_*
90falsepositives:
91    - Administrative activity
92    - Scripts and administrative tools used in the monitored environment
93    - Monitoring activity
94level: high

References

Related rules

to-top