UNC2452 Process Creation Patterns

CommandLine

'7z.exe a -v500m -mx9 -r0 -p'

'7z.exe a -mx9 -r0 -p'

 '.zip'

 '.txt'

'.log'

'Rundll32.exe'

'C:\Windows'

'.dll,Tk_'

 'cmd.exe /C '

''

ParentCommandLine

'Wscript.exe'

'.vbs'

'C:\Windows'

'.dll'

ParentImage

'\rundll32.exe'

'C:\Windows'

'.dll'

Image

'\dllhost.exe'

Detection Query 1

(resourcename = "Windows Security"  AND eventtype = "4688"  ) AND newprocessname In ("7z.exe a -v500m -mx9 -r0 -p","7z.exe a -mx9 -r0 -p",".zip",".txt",".log","rundll32.exe","C:\\Windows",".dll,Tk","\\rundll32.exe",".dll","cmd.exe //C","''" ) AND processname In ("wscript.exe",".vbs","\\dllhost.exe")

Detection Query 2

technologygroup = "EDR"  AND newprocessname In ("7z.exe a -v500m -mx9 -r0 -p","7z.exe a -mx9 -r0 -p",".zip",".txt",".log","rundll32.exe","C:\\Windows",".dll,Tk","\\rundll32.exe",".dll","cmd.exe //C","''" ) AND processname In ("wscript.exe",".vbs","\\dllhost.exe")

Detection Query 3

resourcename = "Sysmon"  AND eventtype = "1" AND commandline IN ("7z.exe a -v500m -mx9 -r0 -p","7z.exe a -mx9 -r0 -p",".zip",".txt",".log","rundll32.exe","C:\Windows",".dll,Tk_" ,"cmd.exe /C"," " ) AND parentimage = "\rundll32.exe" AND parentcommandline In ("wscript.exe",".vbs","C:\Windows",".dll" ) AND image = "\dllhost.exe"

Detection Query 4

technologygroup = "EDR" AND commandline IN ("7z.exe a -v500m -mx9 -r0 -p","7z.exe a -mx9 -r0 -p",".zip",".txt",".log","rundll32.exe","C:\Windows",".dll,Tk_" ,"cmd.exe /C"," ") AND parentimage = "\rundll32.exe" AND parentcommandline In ("wscript.exe",".vbs","C:\Windows",".dll" ) AND image = "\dllhost.exe"