Suspicious SYSTEM User Process Creation

    Date: 11/14/2024

    Severity: High

    Summary

    Detects a suspicious process creation by the SYSTEM user (unusual program or command-line parameter).

    Indicators of Compromise (IOC) List 

    User :

    'AUTHORI'

     'AUTORI'

    IntegrityLevel :

    System

    Image :

    '\calc.exe'

    '\cscript.exe'

    '\forfiles.exe'

    '\hh.exe'

    '\mshta.exe'

    '\ping.exe'

    '\wscript.exe'

    CommandLine :

    ' -W Hidden ' # Often used in malicious PowerShell commands

    ' -decode '  # Used with certutil

    ' /decode '  # Used with certutil

    ' /urlcache '  # Used with certutil

    ' -urlcache '  # Used with certutil

    ' -e* JAB'  # PowerShell encoded commands

    ' -e* SUVYI'  # PowerShell encoded commands

    ' -e* SQBFAFgA'  # PowerShell encoded commands

    ' -e* aWV4I'  # PowerShell encoded commands

    ' -e* IAB'  # PowerShell encoded commands

    ' -e* PAA'  # PowerShell encoded commands

    ' -e* aQBlAHgA'  # PowerShell encoded commands

    'vssadmin delete shadows'  # Ransomware

    'reg SAVE HKLM'  # save registry SAM - syskey extraction

    ' -ma '  # ProcDump

    'Microsoft\Windows\CurrentVersion\Run'  # Run key in command line - often in combination with REG ADD

    '.downloadstring('  # PowerShell download command

    '.downloadfile('  # PowerShell download command

    ' /ticket:'  # Rubeus

    'dpapi::'     # Mimikatz

    'event::clear'        # Mimikatz

    'event::drop'     # Mimikatz

    'id::modify'      # Mimikatz

    'kerberos::'       # Mimikatz

    'lsadump::'      # Mimikatz

    'misc::'     # Mimikatz

    'privilege::'       # Mimikatz

    'rpc::'      # Mimikatz

    'sekurlsa::'       # Mimikatz

    'sid::'        # Mimikatz

    'token::'      # Mimikatz

    'vault::cred'     # Mimikatz

    'vault::list'     # Mimikatz

    ' p::d '  # Mimikatz

    ';iex('  # PowerShell IEX

    'MiniDump'  # Process dumping method apart from procdump

    'net user '

    Commandline :

    ‘Ping’

    '127.0.0.1'

    ' -n '

     ' -ma '

    Image :

    '\PING.EXE'

    :\Program Files (x86)\Java\

    ':\Program Files\Java\'

    '\bin\jp2launcher.exe'

    ParentCommandLine:

    '\DismFoDInstall.cmd'

    ParentImage :

    ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'

    ':\Program Files (x86)\Java\'

    ':\Program Files\Java\'

    '\bin\javaws.exe'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query :

    (resourcename = "Windows Security"  AND eventtype = "4688"  ) AND ( processname like "\calc.exe" or processname like "\cscript.exe" or processname like "\forfiles.exe" or processname like "\hh.exe" or processname like "\mshta.exe" or processname like "\ping.exe" or processname like "\wscript.exe")  AND (employeeid like "AUTHORI" or employeeid like "AUTORI") AND (commandline like "-NoP" or commandline like "-W Hidden" or commandline like "-decode" or commandline like "/decode" or commandline like "/urlcache" or commandline like "-urlcache" or commandline like "-e* JAB" or commandline like "-e* SUVYI" or commandline like "-e* SQBFAFgA" or commandline like "-e* aWV4I" or commandline like "-e* IAB" or commandline like "-e* PAA" or commandline like "-e* aQBlAHgA" or commandline like "vssadmin delete shadows" or commandline like "reg SAVE HKLM" or commandline like "-ma" or commandline like "Microsoft\Windows\CurrentVersion\Run" or commandline like ".downloadstring" or commandline like ".downloadfile" or commandline like "/ticket:" or commandline like "dpapi::" or commandline like "event::clear" or commandline like "event::drop" or commandline like "id::modify" or commandline like "kerberos::" or commandline like "lsadump::" or commandline like "misc::" or commandline like "privilege::" or commandline like "rpc::" or commandline like "sekurlsa::" or commandline like "sid::" or commandline like "token::" or commandline like "vault::cred" or commandline like "vault::list" or commandline like "p::d" or commandline like ";iex" or commandline like "MiniDump" or commandline like "net user" ) AND (commandline not like "ping" and commandline not like "127.0.0.1" and commandline not like "-n") AND processname not like "\PING.EXE" AND parentcommandline not like  "\DismFoDInstall.cmd"  AND parentprocessname not like ":\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows" AND (parentprocessname not like ":\Program Files (x86)\Java" or parentprocessname not like ":\Program Files\Java") AND parentprocessname not like "\bin\javaws.exe" AND (processname not like ":\Program Files (x86)\Java" or processname not like ":\Program Files\Java") AND processname not like "\bin\jp2launcher.exe"  AND commandline not like "-ma"

    Detection Query :

    (technologygroup = "EDR" ) AND ( processname like "\calc.exe" or processname like "\cscript.exe" or processname like "\forfiles.exe" or processname like "\hh.exe" or processname like "\mshta.exe" or processname like "\ping.exe" or processname like "\wscript.exe")  AND (employeeid like "AUTHORI" or employeeid like "AUTORI") AND (commandline like "-NoP" or commandline like "-W Hidden" or commandline like "-decode" or commandline like "/decode" or commandline like "/urlcache" or commandline like "-urlcache" or commandline like "-e* JAB" or commandline like "-e* SUVYI" or commandline like "-e* SQBFAFgA" or commandline like "-e* aWV4I" or commandline like "-e* IAB" or commandline like "-e* PAA" or commandline like "-e* aQBlAHgA" or commandline like "vssadmin delete shadows" or commandline like "reg SAVE HKLM" or commandline like "-ma" or commandline like "Microsoft\Windows\CurrentVersion\Run" or commandline like ".downloadstring" or commandline like ".downloadfile" or commandline like "/ticket:" or commandline like "dpapi::" or commandline like "event::clear" or commandline like "event::drop" or commandline like "id::modify" or commandline like "kerberos::" or commandline like "lsadump::" or commandline like "misc::" or commandline like "privilege::" or commandline like "rpc::" or commandline like "sekurlsa::" or commandline like "sid::" or commandline like "token::" or commandline like "vault::cred" or commandline like "vault::list" or commandline like "p::d" or commandline like ";iex" or commandline like "MiniDump" or commandline like "net user" ) AND (commandline not like "ping" and commandline not like "127.0.0.1" and commandline not like "-n") AND processname not like "\PING.EXE" AND parentcommandline not like  "\DismFoDInstall.cmd"  AND parentprocessname not like ":\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows" AND (parentprocessname not like ":\Program Files (x86)\Java" or parentprocessname not like ":\Program Files\Java") AND parentprocessname not like "\bin\javaws.exe" AND (processname not like ":\Program Files (x86)\Java" or processname not like ":\Program Files\Java") AND processname not like "\bin\jp2launcher.exe"  AND commandline not like "-ma"

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml


    Tags

    MalwareSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags