Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
Sigma rule (View on GitHub)
1title: Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
2id: 236d8e89-ed95-4789-a982-36f4643738ba
3related:
4 - id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d
5 type: derived
6status: test
7description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
8references:
9 - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-06-14
12tags:
13 - attack.execution
14 - attack.persistence
15 - attack.t1059
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_bin_img:
21 - Image|endswith: '\VMwareToolBoxCmd.exe'
22 - OriginalFileName: 'toolbox-cmd.exe'
23 selection_bin_cli:
24 CommandLine|contains|all:
25 - ' script '
26 - ' set '
27 selection_susp_paths:
28 CommandLine|contains:
29 - ':\PerfLogs\'
30 - ':\Temp\'
31 - ':\Windows\System32\Tasks\'
32 - ':\Windows\Tasks\'
33 - ':\Windows\Temp\'
34 - '\AppData\Local\Temp'
35 condition: all of selection_*
36falsepositives:
37 - Unknown
38level: high
References
-
Introduction It is always fun to reexplore previously discovered techniques or pick back on old research that was put on the wayside in hopes to maybe finding something new or different. Recently, …
Read More
Related rules
- Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- Suspicious Execution via macOS Script Editor
- VMToolsd Suspicious Child Process
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation