Suspicious SYSTEM User Process Creation

User :

'AUTHORI'

 'AUTORI'

IntegrityLevel :

System

Image :

'\calc.exe'

'\cscript.exe'

'\forfiles.exe'

'\hh.exe'

'\mshta.exe'

'\ping.exe'

'\wscript.exe'

CommandLine :

' -W Hidden ' # Often used in malicious PowerShell commands

' -decode '  # Used with certutil

' /decode '  # Used with certutil

' /urlcache '  # Used with certutil

' -urlcache '  # Used with certutil

' -e* JAB'  # PowerShell encoded commands

' -e* SUVYI'  # PowerShell encoded commands

' -e* SQBFAFgA'  # PowerShell encoded commands

' -e* aWV4I'  # PowerShell encoded commands

' -e* IAB'  # PowerShell encoded commands

' -e* PAA'  # PowerShell encoded commands

' -e* aQBlAHgA'  # PowerShell encoded commands

'vssadmin delete shadows'  # Ransomware

'reg SAVE HKLM'  # save registry SAM - syskey extraction

' -ma '  # ProcDump

'Microsoft\Windows\CurrentVersion\Run'  # Run key in command line - often in combination with REG ADD

'.downloadstring('  # PowerShell download command

'.downloadfile('  # PowerShell download command

' /ticket:'  # Rubeus

'dpapi::'     # Mimikatz

'event::clear'        # Mimikatz

'event::drop'     # Mimikatz

'id::modify'      # Mimikatz

'kerberos::'       # Mimikatz

'lsadump::'      # Mimikatz

'misc::'     # Mimikatz

'privilege::'       # Mimikatz

'rpc::'      # Mimikatz

'sekurlsa::'       # Mimikatz

'sid::'        # Mimikatz

'token::'      # Mimikatz

'vault::cred'     # Mimikatz

'vault::list'     # Mimikatz

' p::d '  # Mimikatz

';iex('  # PowerShell IEX

'MiniDump'  # Process dumping method apart from procdump

'net user '

Commandline :

‘Ping’

'127.0.0.1'

' -n '

 ' -ma '

Image :

'\PING.EXE'

:\Program Files (x86)\Java\

':\Program Files\Java\'

'\bin\jp2launcher.exe'

ParentCommandLine:

'\DismFoDInstall.cmd'

ParentImage :

':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'

':\Program Files (x86)\Java\'

':\Program Files\Java\'

'\bin\javaws.exe'

Detection Query :

(resourcename = "Windows Security"  AND eventtype = "4688"  ) AND ( processname like "\calc.exe" or processname like "\cscript.exe" or processname like "\forfiles.exe" or processname like "\hh.exe" or processname like "\mshta.exe" or processname like "\ping.exe" or processname like "\wscript.exe")  AND (employeeid like "AUTHORI" or employeeid like "AUTORI") AND (commandline like "-NoP" or commandline like "-W Hidden" or commandline like "-decode" or commandline like "/decode" or commandline like "/urlcache" or commandline like "-urlcache" or commandline like "-e* JAB" or commandline like "-e* SUVYI" or commandline like "-e* SQBFAFgA" or commandline like "-e* aWV4I" or commandline like "-e* IAB" or commandline like "-e* PAA" or commandline like "-e* aQBlAHgA" or commandline like "vssadmin delete shadows" or commandline like "reg SAVE HKLM" or commandline like "-ma" or commandline like "Microsoft\Windows\CurrentVersion\Run" or commandline like ".downloadstring" or commandline like ".downloadfile" or commandline like "/ticket:" or commandline like "dpapi::" or commandline like "event::clear" or commandline like "event::drop" or commandline like "id::modify" or commandline like "kerberos::" or commandline like "lsadump::" or commandline like "misc::" or commandline like "privilege::" or commandline like "rpc::" or commandline like "sekurlsa::" or commandline like "sid::" or commandline like "token::" or commandline like "vault::cred" or commandline like "vault::list" or commandline like "p::d" or commandline like ";iex" or commandline like "MiniDump" or commandline like "net user" ) AND (commandline not like "ping" and commandline not like "127.0.0.1" and commandline not like "-n") AND processname not like "\PING.EXE" AND parentcommandline not like  "\DismFoDInstall.cmd"  AND parentprocessname not like ":\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows" AND (parentprocessname not like ":\Program Files (x86)\Java" or parentprocessname not like ":\Program Files\Java") AND parentprocessname not like "\bin\javaws.exe" AND (processname not like ":\Program Files (x86)\Java" or processname not like ":\Program Files\Java") AND processname not like "\bin\jp2launcher.exe"  AND commandline not like "-ma"

Detection Query :

(technologygroup = "EDR" ) AND ( processname like "\calc.exe" or processname like "\cscript.exe" or processname like "\forfiles.exe" or processname like "\hh.exe" or processname like "\mshta.exe" or processname like "\ping.exe" or processname like "\wscript.exe")  AND (employeeid like "AUTHORI" or employeeid like "AUTORI") AND (commandline like "-NoP" or commandline like "-W Hidden" or commandline like "-decode" or commandline like "/decode" or commandline like "/urlcache" or commandline like "-urlcache" or commandline like "-e* JAB" or commandline like "-e* SUVYI" or commandline like "-e* SQBFAFgA" or commandline like "-e* aWV4I" or commandline like "-e* IAB" or commandline like "-e* PAA" or commandline like "-e* aQBlAHgA" or commandline like "vssadmin delete shadows" or commandline like "reg SAVE HKLM" or commandline like "-ma" or commandline like "Microsoft\Windows\CurrentVersion\Run" or commandline like ".downloadstring" or commandline like ".downloadfile" or commandline like "/ticket:" or commandline like "dpapi::" or commandline like "event::clear" or commandline like "event::drop" or commandline like "id::modify" or commandline like "kerberos::" or commandline like "lsadump::" or commandline like "misc::" or commandline like "privilege::" or commandline like "rpc::" or commandline like "sekurlsa::" or commandline like "sid::" or commandline like "token::" or commandline like "vault::cred" or commandline like "vault::list" or commandline like "p::d" or commandline like ";iex" or commandline like "MiniDump" or commandline like "net user" ) AND (commandline not like "ping" and commandline not like "127.0.0.1" and commandline not like "-n") AND processname not like "\PING.EXE" AND parentcommandline not like  "\DismFoDInstall.cmd"  AND parentprocessname not like ":\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows" AND (parentprocessname not like ":\Program Files (x86)\Java" or parentprocessname not like ":\Program Files\Java") AND parentprocessname not like "\bin\javaws.exe" AND (processname not like ":\Program Files (x86)\Java" or processname not like ":\Program Files\Java") AND processname not like "\bin\jp2launcher.exe"  AND commandline not like "-ma"