Techniques
Sample rules
Potentially Suspicious Execution Of PDQDeployRunner
- source: sigma
- technicques:
Description
Detects suspicious execution of “PDQDeployRunner” which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
Detection logic
condition: all of selection_*
selection_child:
- Image|endswith:
- \bash.exe
- \certutil.exe
- \cmd.exe
- \csc.exe
- \cscript.exe
- \dllhost.exe
- \mshta.exe
- \msiexec.exe
- \regsvr32.exe
- \rundll32.exe
- \scriptrunner.exe
- \wmic.exe
- \wscript.exe
- \wsl.exe
- Image|contains:
- :\ProgramData\
- :\Users\Public\
- :\Windows\TEMP\
- \AppData\Local\Temp
- CommandLine|contains:
- ' -decode '
- ' -enc '
- ' -encodedcommand '
- ' -w hidden'
- DownloadString
- FromBase64String
- http
- 'iex '
- Invoke-
selection_parent:
ParentImage|contains: \PDQDeployRunner-