Sysprep on AppData Folder

Mar 5, 2023 · attack.execution attack.t1059 ·

Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)

Sigma rule (View on GitHub)

 1title: Sysprep on AppData Folder
 2id: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e
 3status: test
 4description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
 5references:
 6    - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
 7    - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b
 8author: Florian Roth (Nextron Systems)
 9date: 2018/06/22
10modified: 2021/11/27
11tags:
12    - attack.execution
13    - attack.t1059
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image|endswith: '\sysprep.exe'
20        CommandLine|contains: '\AppData\'
21    condition: selection
22falsepositives:
23    - False positives depend on scripts and administrative tools used in the monitored environment
24level: medium

References

Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies

Symantec’s artificial-intelligence-based Targeted Attack Analytics uncovers new wide-ranging espionage operation.

Read More
Analysis 0c1ecb743841a12246f273f28312c949e7891a8b10bb59948446a481ccc654ad (MD5: 9DFD87911ACE5B24E2E0D82C618A1A66) No threats detected - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

Read More

Sysprep on AppData Folder

Sigma rule (View on GitHub)

References

Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies

Analysis 0c1ecb743841a12246f273f28312c949e7891a8b10bb59948446a481ccc654ad (MD5: 9DFD87911ACE5B24E2E0D82C618A1A66) No threats detected - Interactive analysis ANY.RUN

Related rules