Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
Sigma rule (View on GitHub)
1title: Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
2id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d
3related:
4 - id: 236d8e89-ed95-4789-a982-36f4643738ba
5 type: derived
6status: test
7description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
8references:
9 - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
10 - https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-06-14
13tags:
14 - attack.execution
15 - attack.persistence
16 - attack.t1059
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_img:
22 - Image|endswith: '\VMwareToolBoxCmd.exe'
23 - OriginalFileName: 'toolbox-cmd.exe'
24 selection_cli:
25 CommandLine|contains|all:
26 - ' script '
27 - ' set '
28 condition: all of selection_*
29falsepositives:
30 - Unknown
31level: medium
References
-
Introduction It is always fun to reexplore previously discovered techniques or pick back on old research that was put on the wayside in hopes to maybe finding something new or different. Recently, …
Read More -
Most of the persistence methods described in this blog series so far focused on the old-school assumption that the system is a typical ‘bare metal’ Windows host. Over last couple of years many host...
Read More
Related rules
- Suspicious Execution via macOS Script Editor
- Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- VMToolsd Suspicious Child Process
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation