title: Suspicious SYSTEM User Process Creation
id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
status: test
description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
references:
    - Internal Research
    - https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (rule), David ANDRE (additional keywords)
date: 2021/12/20
modified: 2022/04/27
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        IntegrityLevel: System
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    selection_special:
        - Image|endswith:
            - '\calc.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\hh.exe'
            - '\mshta.exe'
            - '\forfiles.exe'
            - '\ping.exe'
        - CommandLine|contains:
            # - 'sc stop ' # stops a system service # causes FPs
            - ' -NoP '  # Often used in malicious PowerShell commands
            - ' -W Hidden '  # Often used in malicious PowerShell commands
            - ' -decode '  # Used with certutil
            - ' /decode '  # Used with certutil
            - ' /urlcache '  # Used with certutil
            - ' -urlcache '  # Used with certutil
            - ' -e* JAB'  # PowerShell encoded commands
            - ' -e* SUVYI'  # PowerShell encoded commands
            - ' -e* SQBFAFgA'  # PowerShell encoded commands
            - ' -e* aWV4I'  # PowerShell encoded commands
            - ' -e* IAB'  # PowerShell ncoded commands
            - ' -e* PAA'  # PowerShell encoded commands
            - ' -e* aQBlAHgA'  # PowerShell encoded commands
            - 'vssadmin delete shadows'  # Ransomware
            - 'reg SAVE HKLM'  # save registry SAM - syskey extraction
            - ' -ma '  # ProcDump
            - 'Microsoft\Windows\CurrentVersion\Run'  # Run key in command line - often in combination with REG ADD
            - '.downloadstring('  # PowerShell download command
            - '.downloadfile('  # PowerShell download command
            - ' /ticket:'  # Rubeus
            - 'dpapi::'     #Mimikatz
            - 'event::clear'        #Mimikatz
            - 'event::drop'     #Mimikatz
            - 'id::modify'      #Mimikatz
            - 'kerberos::'       #Mimikatz
            - 'lsadump::'      #Mimikatz
            - 'misc::'     #Mimikatz
            - 'privilege::'       #Mimikatz
            - 'rpc::'      #Mimikatz
            - 'sekurlsa::'       #Mimikatz
            - 'sid::'        #Mimikatz
            - 'token::'      #Mimikatz
            - 'vault::cred'     #Mimikatz
            - 'vault::list'     #Mimikatz
            - ' p::d '  # Mimikatz
            - ';iex('  # PowerShell IEX
            - 'MiniDump'  # Process dumping method apart from procdump
            - 'net user '
    condition: all of selection*
falsepositives:
    - Administrative activity
    - Scripts and administrative tools used in the monitored environment
    - Monitoring activity
level: high
Output will be displayed here
requirements.txt

flask==2.3.3

sigma-cli==0.7.6

pysigma==0.9.11

pySigma-backend-azure @ git+https://github.com/sifex/pySigma-backend-azure.git@9c35b78cd4d4891e1b46ccf21ed555ffb10b96e6

pysigma-backend-carbonblack==0.1.4

pysigma-backend-cortexxdr==0.1.1

pysigma-backend-elasticsearch==1.0.5

pySigma-backend-loki @ git+https://github.com/grafana/pySigma-backend-loki.git@452aa0d8bb096bbabdca5a83a884c45662dec666

pySigma-backend-microsoft365defender @ git+https://github.com/AttackIQ/pySigma-backend-microsoft365defender.git@731db4b6c7cbab8898973b4350d93268e135c495

pysigma-backend-opensearch==1.0.0

pysigma-backend-qradar==0.3.3

pySigma-backend-QRadar-AQL==0.2.3

pysigma-backend-sentinelone==0.1.2

pysigma-backend-sentinelone-pq==0.1.1

pysigma-backend-splunk==1.0.2

pySigma-backend-stix @ git+https://github.com/barvhaim/pySigma-backend-stix@0d7c05e187249c26f5abb99f63bf839c78705d1e

pysigma-pipeline-crowdstrike==1.0.0

pysigma-pipeline-sysmon==1.0.2

pysigma-pipeline-windows==1.1.0