sigmaDRL-1.1from SigmaHQ/sigma
Potentially Suspicious Execution Of PDQDeployRunner
Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
Quality
54
FP risk
—
Forks
0
Views
0
Rule sourcerules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml
title: Potentially Suspicious Execution Of PDQDeployRunner
id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
related:
- id: d679950c-abb7-43a6-80fb-2a480c4fc450
type: similar
status: test
description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
references:
- https://twitter.com/malmoeb/status/1550483085472432128
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
modified: 2024-05-02
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: '\PDQDeployRunner-'
selection_child:
# Improve this section by adding other suspicious processes, commandlines or paths
- Image|endswith:
# If you use any of the following processes legitimately comment them out
- '\bash.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\csc.exe'
- '\cscript.exe'
- '\dllhost.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\scriptrunner.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wsl.exe'
- Image|contains:
- ':\ProgramData\'
- ':\Users\Public\'
- ':\Windows\TEMP\'
- '\AppData\Local\Temp'
- CommandLine|contains:
- ' -decode '
- ' -enc '
- ' -encodedcommand '
- ' -w hidden'
- 'DownloadString'
- 'FromBase64String'
- 'http'
- 'iex '
- 'Invoke-'
condition: all of selection_*
falsepositives:
- Legitimate use of the PDQDeploy tool to execute these commands
level: medium