Hub configuration

More info

1type: trigger

2name: sigmahq/proc_creation_win_sysinternals_susp_psexec_paexec_flags

3description: |

4 Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges

5filter: |

6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.CommandLine contains ' -s cmd' || evt.Parsed.CommandLine contains ' /s cmd' || evt.Parsed.CommandLine contains ' –s cmd' || evt.Parsed.CommandLine contains ' —s cmd' || evt.Parsed.CommandLine contains ' ―s cmd' || evt.Parsed.CommandLine contains ' -s -i cmd' || evt.Parsed.CommandLine contains ' -s /i cmd' || evt.Parsed.CommandLine contains ' -s –i cmd' || evt.Parsed.CommandLine contains ' -s —i cmd' || evt.Parsed.CommandLine contains ' -s ―i cmd' || evt.Parsed.CommandLine contains ' /s -i cmd' || evt.Parsed.CommandLine contains ' /s /i cmd' || evt.Parsed.CommandLine contains ' /s –i cmd' || evt.Parsed.CommandLine contains ' /s —i cmd' || evt.Parsed.CommandLine contains ' /s ―i cmd' || evt.Parsed.CommandLine contains ' –s -i cmd' || evt.Parsed.CommandLine contains ' –s /i cmd' || evt.Parsed.CommandLine contains ' –s –i cmd' || evt.Parsed.CommandLine contains ' –s —i cmd' || evt.Parsed.CommandLine contains ' –s ―i cmd' || evt.Parsed.CommandLine contains ' —s -i cmd' || evt.Parsed.CommandLine contains ' —s /i cmd' || evt.Parsed.CommandLine contains ' —s –i cmd' || evt.Parsed.CommandLine contains ' —s —i cmd' || evt.Parsed.CommandLine contains ' —s ―i cmd' || evt.Parsed.CommandLine contains ' ―s -i cmd' || evt.Parsed.CommandLine contains ' ―s /i cmd' || evt.Parsed.CommandLine contains ' ―s –i cmd' || evt.Parsed.CommandLine contains ' ―s —i cmd' || evt.Parsed.CommandLine contains ' ―s ―i cmd' || evt.Parsed.CommandLine contains ' -i -s cmd' || evt.Parsed.CommandLine contains ' -i /s cmd' || evt.Parsed.CommandLine contains ' -i –s cmd' || evt.Parsed.CommandLine contains ' -i —s cmd' || evt.Parsed.CommandLine contains ' -i ―s cmd' || evt.Parsed.CommandLine contains ' /i -s cmd' || evt.Parsed.CommandLine contains ' /i /s cmd' || evt.Parsed.CommandLine contains ' /i –s cmd' || evt.Parsed.CommandLine contains ' /i —s cmd' || evt.Parsed.CommandLine contains ' /i ―s cmd' || evt.Parsed.CommandLine contains ' –i -s cmd' || evt.Parsed.CommandLine contains ' –i /s cmd' || evt.Parsed.CommandLine contains ' –i –s cmd' || evt.Parsed.CommandLine contains ' –i —s cmd' || evt.Parsed.CommandLine contains ' –i ―s cmd' || evt.Parsed.CommandLine contains ' —i -s cmd' || evt.Parsed.CommandLine contains ' —i /s cmd' || evt.Parsed.CommandLine contains ' —i –s cmd' || evt.Parsed.CommandLine contains ' —i —s cmd' || evt.Parsed.CommandLine contains ' —i ―s cmd' || evt.Parsed.CommandLine contains ' ―i -s cmd' || evt.Parsed.CommandLine contains ' ―i /s cmd' || evt.Parsed.CommandLine contains ' ―i –s cmd' || evt.Parsed.CommandLine contains ' ―i —s cmd' || evt.Parsed.CommandLine contains ' ―i ―s cmd' || evt.Parsed.CommandLine contains ' -s pwsh' || evt.Parsed.CommandLine contains ' /s pwsh' || evt.Parsed.CommandLine contains ' –s pwsh' || evt.Parsed.CommandLine contains ' —s pwsh' || evt.Parsed.CommandLine contains ' ―s pwsh' || evt.Parsed.CommandLine contains ' -s -i pwsh' || evt.Parsed.CommandLine contains ' -s /i pwsh' || evt.Parsed.CommandLine contains ' -s –i pwsh' || evt.Parsed.CommandLine contains ' -s —i pwsh' || evt.Parsed.CommandLine contains ' -s ―i pwsh' || evt.Parsed.CommandLine contains ' /s -i pwsh' || evt.Parsed.CommandLine contains ' /s /i pwsh' || evt.Parsed.CommandLine contains ' /s –i pwsh' || evt.Parsed.CommandLine contains ' /s —i pwsh' || evt.Parsed.CommandLine contains ' /s ―i pwsh' || evt.Parsed.CommandLine contains ' –s -i pwsh' || evt.Parsed.CommandLine contains ' –s /i pwsh' || evt.Parsed.CommandLine contains ' –s –i pwsh' || evt.Parsed.CommandLine contains ' –s —i pwsh' || evt.Parsed.CommandLine contains ' –s ―i pwsh' || evt.Parsed.CommandLine contains ' —s -i pwsh' || evt.Parsed.CommandLine contains ' —s /i pwsh' || evt.Parsed.CommandLine contains ' —s –i pwsh' || evt.Parsed.CommandLine contains ' —s —i pwsh' || evt.Parsed.CommandLine contains ' —s ―i pwsh' || evt.Parsed.CommandLine contains ' ―s -i pwsh' || evt.Parsed.CommandLine contains ' ―s /i pwsh' || evt.Parsed.CommandLine contains ' ―s –i pwsh' || evt.Parsed.CommandLine contains ' ―s —i pwsh' || evt.Parsed.CommandLine contains ' ―s ―i pwsh' || evt.Parsed.CommandLine contains ' -i -s pwsh' || evt.Parsed.CommandLine contains ' -i /s pwsh' || evt.Parsed.CommandLine contains ' -i –s pwsh' || evt.Parsed.CommandLine contains ' -i —s pwsh' || evt.Parsed.CommandLine contains ' -i ―s pwsh' || evt.Parsed.CommandLine contains ' /i -s pwsh' || evt.Parsed.CommandLine contains ' /i /s pwsh' || evt.Parsed.CommandLine contains ' /i –s pwsh' || evt.Parsed.CommandLine contains ' /i —s pwsh' || evt.Parsed.CommandLine contains ' /i ―s pwsh' || evt.Parsed.CommandLine contains ' –i -s pwsh' || evt.Parsed.CommandLine contains ' –i /s pwsh' || evt.Parsed.CommandLine contains ' –i –s pwsh' || evt.Parsed.CommandLine contains ' –i —s pwsh' || evt.Parsed.CommandLine contains ' –i ―s pwsh' || evt.Parsed.CommandLine contains ' —i -s pwsh' || evt.Parsed.CommandLine contains ' —i /s pwsh' || evt.Parsed.CommandLine contains ' —i –s pwsh' || evt.Parsed.CommandLine contains ' —i —s pwsh' || evt.Parsed.CommandLine contains ' —i ―s pwsh' || evt.Parsed.CommandLine contains ' ―i -s pwsh' || evt.Parsed.CommandLine contains ' ―i /s pwsh' || evt.Parsed.CommandLine contains ' ―i –s pwsh' || evt.Parsed.CommandLine contains ' ―i —s pwsh' || evt.Parsed.CommandLine contains ' ―i ―s pwsh' || evt.Parsed.CommandLine contains ' -s powershell' || evt.Parsed.CommandLine contains ' /s powershell' || evt.Parsed.CommandLine contains ' –s powershell' || evt.Parsed.CommandLine contains ' —s powershell' || evt.Parsed.CommandLine contains ' ―s powershell' || evt.Parsed.CommandLine contains ' -s -i powershell' || evt.Parsed.CommandLine contains ' -s /i powershell' || evt.Parsed.CommandLine contains ' -s –i powershell' || evt.Parsed.CommandLine contains ' -s —i powershell' || evt.Parsed.CommandLine contains ' -s ―i powershell' || evt.Parsed.CommandLine contains ' /s -i powershell' || evt.Parsed.CommandLine contains ' /s /i powershell' || evt.Parsed.CommandLine contains ' /s –i powershell' || evt.Parsed.CommandLine contains ' /s —i powershell' || evt.Parsed.CommandLine contains ' /s ―i powershell' || evt.Parsed.CommandLine contains ' –s -i powershell' || evt.Parsed.CommandLine contains ' –s /i powershell' || evt.Parsed.CommandLine contains ' –s –i powershell' || evt.Parsed.CommandLine contains ' –s —i powershell' || evt.Parsed.CommandLine contains ' –s ―i powershell' || evt.Parsed.CommandLine contains ' —s -i powershell' || evt.Parsed.CommandLine contains ' —s /i powershell' || evt.Parsed.CommandLine contains ' —s –i powershell' || evt.Parsed.CommandLine contains ' —s —i powershell' || evt.Parsed.CommandLine contains ' —s ―i powershell' || evt.Parsed.CommandLine contains ' ―s -i powershell' || evt.Parsed.CommandLine contains ' ―s /i powershell' || evt.Parsed.CommandLine contains ' ―s –i powershell' || evt.Parsed.CommandLine contains ' ―s —i powershell' || evt.Parsed.CommandLine contains ' ―s ―i powershell' || evt.Parsed.CommandLine contains ' -i -s powershell' || evt.Parsed.CommandLine contains ' -i /s powershell' || evt.Parsed.CommandLine contains ' -i –s powershell' || evt.Parsed.CommandLine contains ' -i —s powershell' || evt.Parsed.CommandLine contains ' -i ―s powershell' || evt.Parsed.CommandLine contains ' /i -s powershell' || evt.Parsed.CommandLine contains ' /i /s powershell' || evt.Parsed.CommandLine contains ' /i –s powershell' || evt.Parsed.CommandLine contains ' /i —s powershell' || evt.Parsed.CommandLine contains ' /i ―s powershell' || evt.Parsed.CommandLine contains ' –i -s powershell' || evt.Parsed.CommandLine contains ' –i /s powershell' || evt.Parsed.CommandLine contains ' –i –s powershell' || evt.Parsed.CommandLine contains ' –i —s powershell' || evt.Parsed.CommandLine contains ' –i ―s powershell' || evt.Parsed.CommandLine contains ' —i -s powershell' || evt.Parsed.CommandLine contains ' —i /s powershell' || evt.Parsed.CommandLine contains ' —i –s powershell' || evt.Parsed.CommandLine contains ' —i —s powershell' || evt.Parsed.CommandLine contains ' —i ―s powershell' || evt.Parsed.CommandLine contains ' ―i -s powershell' || evt.Parsed.CommandLine contains ' ―i /s powershell' || evt.Parsed.CommandLine contains ' ―i –s powershell' || evt.Parsed.CommandLine contains ' ―i —s powershell' || evt.Parsed.CommandLine contains ' ―i ―s powershell') && not (evt.Parsed.CommandLine contains 'paexec' || evt.Parsed.CommandLine contains 'PsExec' || evt.Parsed.CommandLine contains 'accepteula'))

7blackhole: 2m

8#status: test

9labels:

10 service: windows

11 confidence: 1

12 spoofable: 0

13 classification:

14 - attack.t1587.001

16 label: "Potential Privilege Escalation To LOCAL SYSTEM"

17 behavior : "windows:audit"

18 remediation: false

20scope:

21 type: ParentProcessId

22 expression: evt.Parsed.ParentProcessId

Hub configuration

« proc_creation_win_sysinternals_susp_psexec_paexec_flags »v0.2 by sigmahqAttack scenarioservice:windowsspoofable:0MITRE:t1587confidence:1

« proc_creation_win_sysinternals_susp_psexec_paexec_flags »
v0.2 by sigmahq
Attack scenarioservice:windowsspoofable:0MITRE:t1587confidence:1