Techniques
Sample rules
Suspicious Execution Of PDQDeployRunner
- source: sigma
- technicques:
Description
Detects suspicious execution of “PDQDeployRunner” which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
Detection logic
condition: all of selection_*
selection_parent:
ParentImage|contains: PDQDeployRunner-
selection_susp:
- Image|endswith:
- \wscript.exe
- \cscript.exe
- \rundll32.exe
- \regsvr32.exe
- \wmic.exe
- \msiexec.exe
- \mshta.exe
- \csc.exe
- \dllhost.exe
- \certutil.exe
- \scriptrunner.exe
- \bash.exe
- \wsl.exe
- Image|contains:
- C:\Users\Public\
- C:\ProgramData\
- C:\Windows\TEMP\
- \AppData\Local\Temp
- CommandLine|contains:
- 'iex '
- Invoke-
- DownloadString
- http
- ' -enc '
- ' -encodedcommand '
- FromBase64String
- ' -decode '
- ' -w hidden'