Suspicious Process Tree Execution Via PDQDeployRunner

Rule Info

Name
Suspicious Process Tree Execution Via PDQDeployRunner
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects suspicious child processes executed via "PDQDeployRunner". PDQDeployRunner is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines. Threats such as Avos Locker were seen abusing RMM utilities in order to execute command remotely.
Reference
https://twitter.com/malmoeb/status/1550483085472432128
Date
2024-05-02 00:00:00
Modified
None
Id
3295939b-f3c2-4960-8dc7-8545eecbf565
Tags
attack.execution
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022