Use of W32tm as Timer
When configured with suitable command line arguments, w32tm can act as a delay mechanism
Sigma rule (View on GitHub)
1title: Use of W32tm as Timer
2id: 6da2c9f5-7c53-401b-aacb-92c040ce1215
3status: test
4description: When configured with suitable command line arguments, w32tm can act as a delay mechanism
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md
7 - https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains
8author: frack113
9date: 2022/09/25
10tags:
11 - attack.discovery
12 - attack.t1124
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_w32tm:
18 - Image|endswith: '\w32tm.exe'
19 - OriginalFileName: 'w32time.dll'
20 selection_cmd:
21 CommandLine|contains|all:
22 - '/stripchart'
23 - '/computer:'
24 - '/period:'
25 - '/dataonly'
26 - '/samples:'
27 condition: all of selection_*
28falsepositives:
29 - Legitimate use
30level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
DCRat (also known as DarkCrystal RAT) is a commercial Russian backdoor sold predominantly on underground forums. It has a range of nefarious abilities, including surveillance, reconnaissance, information theft, and DDoS attacks, as well as dynamic code execution in a variety of different languages.
Read More
Related rules
- System Time Lookup
- Discovery of a System Time
- Active Directory Group Enumeration With Get-AdGroup
- Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
- Discovery Using AzureHound