40 lines
1.2 KiB
YAML
40 lines
1.2 KiB
YAML
title: Execution via stordiag.exe
|
|
author: Austin Songer (@austinsonger)
|
|
date: 2021/10/21
|
|
description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe
|
|
and fltmc.exe
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
ParentImage: '*\stordiag.exe'
|
|
SELECTION_3:
|
|
Image: '*\schtasks.exe'
|
|
SELECTION_4:
|
|
Image: '*\systeminfo.exe'
|
|
SELECTION_5:
|
|
Image: '*\fltmc.exe'
|
|
SELECTION_6:
|
|
ParentImage: c:\windows\system32\\*
|
|
SELECTION_7:
|
|
ParentImage: c:\windows\syswow64\\*
|
|
condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
|
|
and not ((SELECTION_6 or SELECTION_7)))
|
|
falsepositives:
|
|
- Legitimate usage of stordiag.exe.
|
|
id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34
|
|
level: high
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
references:
|
|
- https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
|
|
- https://twitter.com/eral4m/status/1451112385041911809
|
|
status: experimental
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1218
|
|
yml_filename: process_creation_stordiag_execution.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
|
|
|