detection.wiki

Detection rules › Sigma

PUA - AdvancedRun Execution

Severity
medium
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects the execution of AdvancedRun utility

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.003 Command and Scripting Interpreter: Windows Command Shell
Privilege EscalationT1134.002 Access Token Manipulation: Create Process with Token
Defense EvasionT1134.002 Access Token Manipulation: Create Process with Token, T1564.003 Hide Artifacts: Hidden Window

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection

or:
CommandLine|contains: ' /CommandLine '
CommandLine|contains: ' /RunAs '
CommandLine|contains: ' /WindowState 0'
CommandLine|contains: ' /EXEFilename '
CommandLine|contains: ' /Run'
OriginalFileName: AdvancedRun.exe

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • /CommandLine
  • /EXEFilename
  • /Run
  • /RunAs
  • /WindowState 0
OriginalFileNameeq
  • AdvancedRun.exe