Suspicious RunAs-Like Flag Combination

Rule Info

Name
Suspicious RunAs-Like Flag Combination
Author
Florian Roth (Nextron Systems)
Description
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
Reference
https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
Date
2022-11-11 00:00:00
Modified
None
Id
50d66fb0-03f8-4da0-8add-84e77d12a020
Tags
attack.privilege_escalation DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=50d66fb0-03f8-4da0-8add-84e77d12a020

Rule History

Author
Title
Date
Commit
frack113
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17
020fc8061
Nasreddine Bencherchali
fix: shorten filenames
2023-03-06
e5c75d323
Nasreddine Bencherchali
feat: more updates
2023-03-06
e3503d5d6
Nasreddine Bencherchali
feat: more updates and fixes
2023-02-28
137dcbcc5
Nasreddine Bencherchali
chore: add nextron authors tag
2023-02-01
7c38a5c49
Florian Roth
fix: condition
2022-11-14
c03944c70
Florian Roth
rule: suspicious command line flags
2022-11-12
951ad8c45
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022