monitoring activity

Techniques

Sample rules

Whoami Utility Execution

source: sigma
technicques:
- t1033

Description

Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation

Detection logic

condition: selection
selection:
- Image|endswith: \whoami.exe
- OriginalFileName: whoami.exe

Whoami.EXE Execution Anomaly

source: sigma
technicques:
- t1033

Description

Detects the execution of whoami.exe with suspicious parent processes.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_known_parents:
  ParentImage|endswith:
  - \cmd.exe
  - \powershell_ise.exe
  - \powershell.exe
  - \pwsh.exe
filter_main_parent_empty:
  ParentImage: ''
filter_main_parent_null:
  ParentImage: null
filter_optional_ms_monitoring_agent:
  ParentImage|endswith: :\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe
selection:
- Image|endswith: \whoami.exe
- OriginalFileName: whoami.exe

Suspicious SYSTEM User Process Creation

source: sigma
technicques:
- t1003
- t1027
- t1134

Description

Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)

Detection logic

condition: all of selection* and not 1 of filter_*
filter_config_mgr:
  ParentImage|contains: :\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
filter_java:
  CommandLine|contains: ' -ma '
  Image|contains:
  - :\Program Files (x86)\Java\
  - :\Program Files\Java\
  Image|endswith: \bin\jp2launcher.exe
  ParentImage|contains:
  - :\Program Files (x86)\Java\
  - :\Program Files\Java\
  ParentImage|endswith: \bin\javaws.exe
filter_main_ping:
  CommandLine|contains|all:
  - ping
  - 127.0.0.1
  - ' -n '
filter_vs:
  Image|endswith: \PING.EXE
  ParentCommandLine|contains: \DismFoDInstall.cmd
selection:
  IntegrityLevel:
  - System
  - S-1-16-16384
  User|contains:
  - AUTHORI
  - AUTORI
selection_special:
- Image|endswith:
  - \calc.exe
  - \cscript.exe
  - \forfiles.exe
  - \hh.exe
  - \mshta.exe
  - \ping.exe
  - \wscript.exe
- CommandLine|contains:
  - ' -NoP '
  - ' -W Hidden '
  - ' -decode '
  - ' /decode '
  - ' /urlcache '
  - ' -urlcache '
  - ' -e* JAB'
  - ' -e* SUVYI'
  - ' -e* SQBFAFgA'
  - ' -e* aWV4I'
  - ' -e* IAB'
  - ' -e* PAA'
  - ' -e* aQBlAHgA'
  - vssadmin delete shadows
  - reg SAVE HKLM
  - ' -ma '
  - Microsoft\Windows\CurrentVersion\Run
  - .downloadstring(
  - .downloadfile(
  - ' /ticket:'
  - 'dpapi::'
  - event::clear
  - event::drop
  - id::modify
  - 'kerberos::'
  - 'lsadump::'
  - 'misc::'
  - 'privilege::'
  - 'rpc::'
  - 'sekurlsa::'
  - 'sid::'
  - 'token::'
  - vault::cred
  - vault::list
  - ' p::d '
  - ;iex(
  - MiniDump
  - 'net user '