Techniques
Sample rules
VMToolsd Suspicious Child Process
- source: sigma
- technicques:
- t1059
Description
Detects suspicious child process creations of VMware Tools process which may indicate persistence setup
Detection logic
condition: all of selection* and not 1 of filter_main_*
filter_main_empty:
CommandLine: ''
Image|endswith: \cmd.exe
filter_main_null:
CommandLine: null
Image|endswith: \cmd.exe
filter_main_vmwaretools_script:
CommandLine|contains:
- \VMware\VMware Tools\poweron-vm-default.bat
- \VMware\VMware Tools\poweroff-vm-default.bat
- \VMware\VMware Tools\resume-vm-default.bat
- \VMware\VMware Tools\suspend-vm-default.bat
Image|endswith: \cmd.exe
selection_img:
- Image|endswith:
- \cmd.exe
- \cscript.exe
- \mshta.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
- OriginalFileName:
- Cmd.Exe
- cscript.exe
- MSHTA.EXE
- PowerShell.EXE
- pwsh.dll
- REGSVR32.EXE
- RUNDLL32.EXE
- wscript.exe
selection_parent:
ParentImage|endswith: \vmtoolsd.exe