Suspicious SYSTEM User Process Creation
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Sigma rule (View on GitHub)
1title: Suspicious SYSTEM User Process Creation
2id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
3status: test
4description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
5references:
6 - Internal Research
7 - https://tools.thehacker.recipes/mimikatz/modules
8author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
9date: 2021/12/20
10modified: 2023/12/14
11tags:
12 - attack.credential_access
13 - attack.defense_evasion
14 - attack.privilege_escalation
15 - attack.t1134
16 - attack.t1003
17 - attack.t1027
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 IntegrityLevel: System
24 User|contains: # covers many language settings
25 - 'AUTHORI'
26 - 'AUTORI'
27 selection_special:
28 - Image|endswith:
29 - '\calc.exe'
30 - '\wscript.exe'
31 - '\cscript.exe'
32 - '\hh.exe'
33 - '\mshta.exe'
34 - '\forfiles.exe'
35 - '\ping.exe'
36 - CommandLine|contains:
37 # - 'sc stop ' # stops a system service # causes FPs
38 - ' -NoP ' # Often used in malicious PowerShell commands
39 - ' -W Hidden ' # Often used in malicious PowerShell commands
40 - ' -decode ' # Used with certutil
41 - ' /decode ' # Used with certutil
42 - ' /urlcache ' # Used with certutil
43 - ' -urlcache ' # Used with certutil
44 - ' -e* JAB' # PowerShell encoded commands
45 - ' -e* SUVYI' # PowerShell encoded commands
46 - ' -e* SQBFAFgA' # PowerShell encoded commands
47 - ' -e* aWV4I' # PowerShell encoded commands
48 - ' -e* IAB' # PowerShell encoded commands
49 - ' -e* PAA' # PowerShell encoded commands
50 - ' -e* aQBlAHgA' # PowerShell encoded commands
51 - 'vssadmin delete shadows' # Ransomware
52 - 'reg SAVE HKLM' # save registry SAM - syskey extraction
53 - ' -ma ' # ProcDump
54 - 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
55 - '.downloadstring(' # PowerShell download command
56 - '.downloadfile(' # PowerShell download command
57 - ' /ticket:' # Rubeus
58 - 'dpapi::' # Mimikatz
59 - 'event::clear' # Mimikatz
60 - 'event::drop' # Mimikatz
61 - 'id::modify' # Mimikatz
62 - 'kerberos::' # Mimikatz
63 - 'lsadump::' # Mimikatz
64 - 'misc::' # Mimikatz
65 - 'privilege::' # Mimikatz
66 - 'rpc::' # Mimikatz
67 - 'sekurlsa::' # Mimikatz
68 - 'sid::' # Mimikatz
69 - 'token::' # Mimikatz
70 - 'vault::cred' # Mimikatz
71 - 'vault::list' # Mimikatz
72 - ' p::d ' # Mimikatz
73 - ';iex(' # PowerShell IEX
74 - 'MiniDump' # Process dumping method apart from procdump
75 - 'net user '
76 filter_ping:
77 CommandLine: 'ping 127.0.0.1 -n 5'
78 filter_vs:
79 Image|endswith: '\PING.EXE'
80 ParentCommandLine|contains: '\DismFoDInstall.cmd'
81 filter_config_mgr:
82 ParentImage|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
83 filter_java:
84 ParentImage|contains:
85 - ':\Program Files (x86)\Java\'
86 - ':\Program Files\Java\'
87 ParentImage|endswith: '\bin\javaws.exe'
88 Image|contains:
89 - ':\Program Files (x86)\Java\'
90 - ':\Program Files\Java\'
91 Image|endswith: '\bin\jp2launcher.exe'
92 CommandLine|contains: ' -ma '
93 condition: all of selection* and not 1 of filter_*
94falsepositives:
95 - Administrative activity
96 - Scripts and administrative tools used in the monitored environment
97 - Monitoring activity
98level: high
References
-
crypto::hash hashes a password in the main formats (NT, DCC1, DCC2, LM, MD5, SHA1, SHA2) with the username being an optional value
Read More
Related rules
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- Huawei BGP Authentication Failures