SigmaHQ/rules/windows/process_creation/win_indirect_cmd.yml

32 lines
1.0 KiB
YAML

title: Indirect Command Execution
id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe
status: experimental
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml
- https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html
date: 2019/10/24
modified: 2019/11/11
tags:
- attack.defense_evasion
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\pcalua.exe'
- '\forfiles.exe'
condition: selection
fields:
- ComputerName
- User
- ParentCommandLine
- CommandLine
falsepositives:
- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
- Legit usage of scripts
level: low