Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
title: Suspicious RunAs-Like Flag Combination
id: 50d66fb0-03f8-4da0-8add-84e77d12a020
status: test
description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
references:
- https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
author: Florian Roth (Nextron Systems)
date: 2022-11-11
tags:
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection_user:
CommandLine|contains:
- ' -u system '
- ' --user system '
- ' -u NT'
- ' -u "NT'
- " -u 'NT"
- ' --system '
- ' -u administrator '
selection_command:
CommandLine|contains:
- ' -c cmd'
- ' -c "cmd'
- ' -c powershell'
- ' -c "powershell'
- ' --command cmd'
- ' --command powershell'
- ' -c whoami'
- ' -c wscript'
- ' -c cscript'
condition: all of selection*
falsepositives:
- Unknown
level: medium
imProcessCreate
| where (TargetProcessCommandLine contains " -u system " or TargetProcessCommandLine contains " --user system " or TargetProcessCommandLine contains " -u NT" or TargetProcessCommandLine contains " -u \"NT" or TargetProcessCommandLine contains " -u 'NT" or TargetProcessCommandLine contains " --system " or TargetProcessCommandLine contains " -u administrator ") and (TargetProcessCommandLine contains " -c cmd" or TargetProcessCommandLine contains " -c \"cmd" or TargetProcessCommandLine contains " -c powershell" or TargetProcessCommandLine contains " -c \"powershell" or TargetProcessCommandLine contains " --command cmd" or TargetProcessCommandLine contains " --command powershell" or TargetProcessCommandLine contains " -c whoami" or TargetProcessCommandLine contains " -c wscript" or TargetProcessCommandLine contains " -c cscript")| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |