Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
title: Suspicious SYSTEM User Process Creation
id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
status: test
description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
references:
- Internal Research
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2021-12-20
modified: 2025-10-19
tags:
- attack.credential-access
- attack.privilege-escalation
- attack.stealth
- attack.t1134
- attack.t1003
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_special:
- Image|endswith:
- '\calc.exe'
- '\cscript.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mshta.exe'
- '\ping.exe'
- '\wscript.exe'
- CommandLine|re: 'net\s+user\s+'
- CommandLine|contains:
# - 'sc stop ' # stops a system service # causes FPs
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' -decode ' # Used with certutil
- ' /decode ' # Used with certutil
- ' /urlcache ' # Used with certutil
- ' -urlcache ' # Used with certutil
- ' -e* JAB' # PowerShell encoded commands
- ' -e* SUVYI' # PowerShell encoded commands
- ' -e* SQBFAFgA' # PowerShell encoded commands
- ' -e* aWV4I' # PowerShell encoded commands
- ' -e* IAB' # PowerShell encoded commands
- ' -e* PAA' # PowerShell encoded commands
- ' -e* aQBlAHgA' # PowerShell encoded commands
- 'vssadmin delete shadows' # Ransomware
- 'reg SAVE HKLM' # save registry SAM - syskey extraction
- ' -ma ' # ProcDump
- 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
- '.downloadstring(' # PowerShell download command
- '.downloadfile(' # PowerShell download command
- ' /ticket:' # Rubeus
- 'dpapi::' # Mimikatz
- 'event::clear' # Mimikatz
- 'event::drop' # Mimikatz
- 'id::modify' # Mimikatz
- 'kerberos::' # Mimikatz
- 'lsadump::' # Mimikatz
- 'misc::' # Mimikatz
- 'privilege::' # Mimikatz
- 'rpc::' # Mimikatz
- 'sekurlsa::' # Mimikatz
- 'sid::' # Mimikatz
- 'token::' # Mimikatz
- 'vault::cred' # Mimikatz
- 'vault::list' # Mimikatz
- ' p::d ' # Mimikatz
- ';iex(' # PowerShell IEX
- 'MiniDump' # Process dumping method apart from procdump
filter_main_ping:
CommandLine|contains|all:
- 'ping'
- '127.0.0.1'
- ' -n '
filter_vs:
Image|endswith: '\PING.EXE'
ParentCommandLine|contains: '\DismFoDInstall.cmd'
filter_config_mgr:
ParentImage|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
filter_java:
ParentImage|contains:
- ':\Program Files (x86)\Java\'
- ':\Program Files\Java\'
ParentImage|endswith: '\bin\javaws.exe'
Image|contains:
- ':\Program Files (x86)\Java\'
- ':\Program Files\Java\'
Image|endswith: '\bin\jp2launcher.exe'
CommandLine|contains: ' -ma '
condition: all of selection* and not 1 of filter_*
falsepositives:
- Administrative activity
- Scripts and administrative tools used in the monitored environment
- Monitoring activity
level: high
imProcessCreate
| where (((TargetProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and (TargetUsername contains "AUTHORI" or TargetUsername contains "AUTORI")) and ((TargetProcessName endswith "\\calc.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\forfiles.exe" or TargetProcessName endswith "\\hh.exe" or TargetProcessName endswith "\\mshta.exe" or TargetProcessName endswith "\\ping.exe" or TargetProcessName endswith "\\wscript.exe") or TargetProcessCommandLine matches regex "net\\s+user\\s+" or (TargetProcessCommandLine contains " -NoP " or TargetProcessCommandLine contains " -W Hidden " or TargetProcessCommandLine contains " -decode " or TargetProcessCommandLine contains " /decode " or TargetProcessCommandLine contains " /urlcache " or TargetProcessCommandLine contains " -urlcache " or (TargetProcessCommandLine contains " -e" and TargetProcessCommandLine contains " JAB") or (TargetProcessCommandLine contains " -e" and TargetProcessCommandLine contains " SUVYI") or (TargetProcessCommandLine contains " -e" and TargetProcessCommandLine contains " SQBFAFgA") or (TargetProcessCommandLine contains " -e" and TargetProcessCommandLine contains " aWV4I") or (TargetProcessCommandLine contains " -e" and TargetProcessCommandLine contains " IAB") or (TargetProcessCommandLine contains " -e" and TargetProcessCommandLine contains " PAA") or (TargetProcessCommandLine contains " -e" and TargetProcessCommandLine contains " aQBlAHgA") or TargetProcessCommandLine contains "vssadmin delete shadows" or TargetProcessCommandLine contains "reg SAVE HKLM" or TargetProcessCommandLine contains " -ma " or TargetProcessCommandLine contains "Microsoft\\Windows\\CurrentVersion\\Run" or TargetProcessCommandLine contains ".downloadstring(" or TargetProcessCommandLine contains ".downloadfile(" or TargetProcessCommandLine contains " /ticket:" or TargetProcessCommandLine contains "dpapi::" or TargetProcessCommandLine contains "event::clear" or TargetProcessCommandLine contains "event::drop" or TargetProcessCommandLine contains "id::modify" or TargetProcessCommandLine contains "kerberos::" or TargetProcessCommandLine contains "lsadump::" or TargetProcessCommandLine contains "misc::" or TargetProcessCommandLine contains "privilege::" or TargetProcessCommandLine contains "rpc::" or TargetProcessCommandLine contains "sekurlsa::" or TargetProcessCommandLine contains "sid::" or TargetProcessCommandLine contains "token::" or TargetProcessCommandLine contains "vault::cred" or TargetProcessCommandLine contains "vault::list" or TargetProcessCommandLine contains " p::d " or TargetProcessCommandLine contains ";iex(" or TargetProcessCommandLine contains "MiniDump"))) and (not(((TargetProcessCommandLine contains "ping" and TargetProcessCommandLine contains "127.0.0.1" and TargetProcessCommandLine contains " -n ") or (TargetProcessName endswith "\\PING.EXE" and ActingProcessCommandLine contains "\\DismFoDInstall.cmd") or (ParentProcessName contains ":\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or ActingProcessName contains ":\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\") or (((ParentProcessName contains ":\\Program Files (x86)\\Java\\" or ParentProcessName contains ":\\Program Files\\Java\\") or (ActingProcessName contains ":\\Program Files (x86)\\Java\\" or ActingProcessName contains ":\\Program Files\\Java\\")) and (ParentProcessName endswith "\\bin\\javaws.exe" or ActingProcessName endswith "\\bin\\javaws.exe") and (TargetProcessName contains ":\\Program Files (x86)\\Java\\" or TargetProcessName contains ":\\Program Files\\Java\\") and TargetProcessName endswith "\\bin\\jp2launcher.exe" and TargetProcessCommandLine contains " -ma "))))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |