Suspicious SYSTEM User Process Creation

Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)

Sigma rule (View on GitHub)

 1title: Suspicious SYSTEM User Process Creation
 2id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
 3status: test
 4description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
 5references:
 6    - Internal Research
 7    - https://tools.thehacker.recipes/mimikatz/modules
 8author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
 9date: 2021-12-20
10modified: 2024-07-22
11tags:
12    - attack.credential-access
13    - attack.defense-evasion
14    - attack.privilege-escalation
15    - attack.t1134
16    - attack.t1003
17    - attack.t1027
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        IntegrityLevel: System
24        User|contains: # covers many language settings
25            - 'AUTHORI'
26            - 'AUTORI'
27    selection_special:
28        - Image|endswith:
29              - '\calc.exe'
30              - '\cscript.exe'
31              - '\forfiles.exe'
32              - '\hh.exe'
33              - '\mshta.exe'
34              - '\ping.exe'
35              - '\wscript.exe'
36        - CommandLine|contains:
37              # - 'sc stop ' # stops a system service # causes FPs
38              - ' -NoP '  # Often used in malicious PowerShell commands
39              - ' -W Hidden '  # Often used in malicious PowerShell commands
40              - ' -decode '  # Used with certutil
41              - ' /decode '  # Used with certutil
42              - ' /urlcache '  # Used with certutil
43              - ' -urlcache '  # Used with certutil
44              - ' -e* JAB'  # PowerShell encoded commands
45              - ' -e* SUVYI'  # PowerShell encoded commands
46              - ' -e* SQBFAFgA'  # PowerShell encoded commands
47              - ' -e* aWV4I'  # PowerShell encoded commands
48              - ' -e* IAB'  # PowerShell encoded commands
49              - ' -e* PAA'  # PowerShell encoded commands
50              - ' -e* aQBlAHgA'  # PowerShell encoded commands
51              - 'vssadmin delete shadows'  # Ransomware
52              - 'reg SAVE HKLM'  # save registry SAM - syskey extraction
53              - ' -ma '  # ProcDump
54              - 'Microsoft\Windows\CurrentVersion\Run'  # Run key in command line - often in combination with REG ADD
55              - '.downloadstring('  # PowerShell download command
56              - '.downloadfile('  # PowerShell download command
57              - ' /ticket:'  # Rubeus
58              - 'dpapi::'     # Mimikatz
59              - 'event::clear'        # Mimikatz
60              - 'event::drop'     # Mimikatz
61              - 'id::modify'      # Mimikatz
62              - 'kerberos::'       # Mimikatz
63              - 'lsadump::'      # Mimikatz
64              - 'misc::'     # Mimikatz
65              - 'privilege::'       # Mimikatz
66              - 'rpc::'      # Mimikatz
67              - 'sekurlsa::'       # Mimikatz
68              - 'sid::'        # Mimikatz
69              - 'token::'      # Mimikatz
70              - 'vault::cred'     # Mimikatz
71              - 'vault::list'     # Mimikatz
72              - ' p::d '  # Mimikatz
73              - ';iex('  # PowerShell IEX
74              - 'MiniDump'  # Process dumping method apart from procdump
75              - 'net user '
76    filter_main_ping:
77        CommandLine|contains: 'ping 127.0.0.1 -n'
78    filter_vs:
79        Image|endswith: '\PING.EXE'
80        ParentCommandLine|contains: '\DismFoDInstall.cmd'
81    filter_config_mgr:
82        ParentImage|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
83    filter_java:
84        ParentImage|contains:
85            - ':\Program Files (x86)\Java\'
86            - ':\Program Files\Java\'
87        ParentImage|endswith: '\bin\javaws.exe'
88        Image|contains:
89            - ':\Program Files (x86)\Java\'
90            - ':\Program Files\Java\'
91        Image|endswith: '\bin\jp2launcher.exe'
92        CommandLine|contains: ' -ma '
93    condition: all of selection* and not 1 of filter_*
94falsepositives:
95    - Administrative activity
96    - Scripts and administrative tools used in the monitored environment
97    - Monitoring activity
98level: high

References

Related rules

to-top