/
proc_creation_win_pua_nircmd.yml
43 lines (43 loc) · 1.28 KB
/
proc_creation_win_pua_nircmd.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
title: PUA - NirCmd Execution
id: 4e2ed651-1906-4a59-a78a-18220fca1b22
status: test
description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
references:
- https://www.nirsoft.net/utils/nircmd.html
- https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
- https://www.nirsoft.net/utils/nircmd2.html#using
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022/01/24
modified: 2023/02/13
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: process_creation
product: windows
detection:
selection_org:
- Image|endswith: '\NirCmd.exe'
- OriginalFileName: 'NirCmd.exe'
selection_cmd:
CommandLine|contains:
- ' execmd '
- '.exe script '
- '.exe shexec '
- ' runinteractive '
combo_exec:
CommandLine|contains:
- ' exec '
- ' exec2 '
combo_exec_params:
CommandLine|contains:
- ' show '
- ' hide '
condition: 1 of selection_* or all of combo_*
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Legitimate use by administrators
level: medium