system administrator usage

Techniques

Sample rules

Renamed Sysinternals Sdelete Execution

source: sigma
technicques:
- t1485

Description

Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn’t do (the renaming)

Detection logic

condition: selection and not filter
filter:
  Image|endswith:
  - \sdelete.exe
  - \sdelete64.exe
selection:
  OriginalFileName: sdelete.exe

Potentially Suspicious Cabinet File Expansion

source: sigma
technicques:
- t1218

Description

Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks

Detection logic

condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*
filter_optional_dell:
  CommandLine|contains: C:\ProgramData\Dell\UpdateService\Temp\
  ParentImage: C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe
selection_cmd:
  CommandLine|contains|windash: '-F:'
  Image|endswith: \expand.exe
selection_folders_1:
  CommandLine|contains:
  - :\Perflogs\
  - :\Users\Public\
  - \Temporary Internet
  - :\ProgramData
  - \AppData\Local\Temp
  - \AppData\Roaming\Temp
  - :\Windows\Temp
selection_folders_2:
- CommandLine|contains|all:
  - :\Users\
  - \Favorites\
- CommandLine|contains|all:
  - :\Users\
  - \Favourites\
- CommandLine|contains|all:
  - :\Users\
  - \Contacts\

Permission Check Via Accesschk.EXE

source: sigma
technicques:
- t1069
- t1069.001

Description

Detects the usage of the “Accesschk” utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges

Detection logic

condition: all of selection*
selection_cli:
  CommandLine|contains:
  - 'uwcqv '
  - 'kwsu '
  - 'qwsu '
  - 'uwdqs '
selection_img:
- Product|endswith: AccessChk
- Description|contains: Reports effective permissions
- Image|endswith:
  - \accesschk.exe
  - \accesschk64.exe
- OriginalFileName: accesschk.exe

Always Install Elevated Windows Installer

source: sigma
technicques:
- t1548
- t1548.002

Description

Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege

Detection logic

condition: 1 of selection_image_* and selection_user and not 1 of filter_*
filter_avast:
  ParentImage|startswith:
  - C:\Program Files\Avast Software\
  - C:\Program Files (x86)\Avast Software\
filter_avira:
  ParentImage|startswith: C:\ProgramData\Avira\
filter_google_update:
  ParentImage|startswith:
  - C:\Program Files\Google\Update\
  - C:\Program Files (x86)\Google\Update\
filter_installer:
  ParentImage: C:\Windows\System32\services.exe
filter_repair:
- CommandLine|endswith: \system32\msiexec.exe /V
- ParentCommandLine|endswith: \system32\msiexec.exe /V
filter_sophos:
  ParentImage|startswith: C:\ProgramData\Sophos\
selection_image_1:
  Image|contains|all:
  - \Windows\Installer\
  - msi
  Image|endswith: tmp
selection_image_2:
  Image|endswith: \msiexec.exe
  IntegrityLevel: System
selection_user:
  User|contains:
  - AUTHORI
  - AUTORI

Execute Files with Msdeploy.exe

source: sigma
technicques:
- t1218

Description

Detects file execution using the msdeploy.exe lolbin

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - verb:sync
  - -source:RunCommand
  - -dest:runCommand
  Image|endswith: \msdeploy.exe