Techniques
Sample rules
PUA - NirCmd Execution As LOCAL SYSTEM
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects the use of NirCmd tool for command execution as SYSTEM user
Detection logic
condition: selection
selection:
CommandLine|contains: ' runassystem '
PUA - RunXCmd Execution
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
Detection logic
condition: all of selection_*
selection_account:
CommandLine|contains:
- ' /account=system '
- ' /account=ti '
selection_exec:
CommandLine|contains: /exec=
PUA - NSudo Execution
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects the use of NSudo tool for command execution
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- '-U:S '
- '-U:T '
- '-U:E '
- '-P:E '
- '-M:S '
- '-M:H '
- '-U=S '
- '-U=T '
- '-U=E '
- '-P=E '
- '-M=S '
- '-M=H '
- -ShowWindowMode:Hide
selection_img:
- Image|endswith:
- \NSudo.exe
- \NSudoLC.exe
- \NSudoLG.exe
- OriginalFileName:
- NSudo.exe
- NSudoLC.exe
- NSudoLG.exe
PUA - NirCmd Execution
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
Detection logic
combo_exec:
CommandLine|contains:
- ' exec '
- ' exec2 '
combo_exec_params:
CommandLine|contains:
- ' show '
- ' hide '
condition: 1 of selection_* or all of combo_*
selection_cmd:
CommandLine|contains:
- ' execmd '
- '.exe script '
- '.exe shexec '
- ' runinteractive '
selection_org:
- Image|endswith: \NirCmd.exe
- OriginalFileName: NirCmd.exe