VMToolsd Suspicious Child Process

 1title: VMToolsd Suspicious Child Process
 2id: 5687f942-867b-4578-ade7-1e341c46e99a
 3status: experimental
 4description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup
 5references:
 6    - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
 7    - https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png
 8    - https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf
 9author: bohops, Bhabesh Raj
10date: 2021/10/08
11modified: 2023/07/25
12tags:
13    - attack.execution
14    - attack.persistence
15    - attack.t1059
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_parent:
21        ParentImage|endswith: '\vmtoolsd.exe'
22    selection_img:
23        - Image|endswith:
24              - '\cmd.exe'
25              - '\cscript.exe'
26              - '\mshta.exe'
27              - '\powershell.exe'
28              - '\pwsh.exe'
29              - '\regsvr32.exe'
30              - '\rundll32.exe'
31              - '\wscript.exe'
32        - OriginalFileName:
33              - 'Cmd.Exe'
34              - 'cscript.exe'
35              - 'MSHTA.EXE'
36              - 'PowerShell.EXE'
37              - 'pwsh.dll'
38              - 'REGSVR32.EXE'
39              - 'RUNDLL32.EXE'
40              - 'wscript.exe'
41    filter_main_vmwaretools_script:
42        Image|endswith: '\cmd.exe'
43        CommandLine|contains:
44            - '\VMware\VMware Tools\poweron-vm-default.bat'
45            - '\VMware\VMware Tools\poweroff-vm-default.bat'
46            - '\VMware\VMware Tools\resume-vm-default.bat'
47            - '\VMware\VMware Tools\suspend-vm-default.bat'
48    filter_main_empty:
49        Image|endswith: '\cmd.exe'
50        CommandLine: ''
51    filter_main_null:
52        Image|endswith: '\cmd.exe'
53        CommandLine: null
54    condition: all of selection* and not 1 of filter_main_*
55falsepositives:
56    - Legitimate use by VM administrator
57level: high

References

• Analyzing and Detecting a VMTools Persistence Technique

  

  Introduction It is always fun to reexplore previously discovered techniques or pick back on old research that was put on the wayside in hopes to maybe finding something new or different. Recently, …

  
  Read More

• vÿ 9u÷é×Üéîºû¿a›b»n·ÝæÁÒ·V­UÝw>꾞ûMpå›fQ|ù”AeÊ|ò©—Ü„É׆®—’Ib¸Dñª(ßrÛC¾-Þª,Æ…ÒFÞº»ƒ-I4ÇÇ>¸`¶õºž=½µíæ›mh«r¿²¢•X¨¤ë«8ÏÉ$QZ‚Ÿ’ûš«®â$Ûßñu +ÿ/M(žñö‡nà�ƒ…¯„Ý‹¦Üèžzúe·ï>»¸¦>n¶¥,¡ø§Ÿ~vM[ž²M...

  
  Read More

• open-vm-tools/open-vm-tools/tools.conf at master · vmware/open-vm-tools

  

  Official repository of VMware open-vm-tools project - vmware/open-vm-tools

  
  Read More

Related rules

• Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
• Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
• Abusable DLL Potential Sideloading From Suspicious Location
• Azure Kubernetes CronJob
• Python Spawning Pretty TTY