PUA - PingCastle Execution From Potentially Suspicious Parent

Severity: high
Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
Source: upstream

Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.

MITRE ATT&CK coverage

Tactic	Techniques
Reconnaissance	`T1595` Active Scanning

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `1 of selection_parent_ext`

or:
ParentCommandLine|contains: .bat
ParentCommandLine|contains: .chm
ParentCommandLine|contains: .cmd
ParentCommandLine|contains: .hta
ParentCommandLine|contains: .htm
ParentCommandLine|contains: .html
ParentCommandLine|contains: .js
ParentCommandLine|contains: .lnk
ParentCommandLine|contains: .ps1
ParentCommandLine|contains: .vbe
ParentCommandLine|contains: .vbs
ParentCommandLine|contains: .wsf

Stage 2: `1 of selection_parent_path_1`

or:
ParentCommandLine|contains: ':\Perflogs\'
ParentCommandLine|contains: ':\Temp\'
ParentCommandLine|contains: ':\Users\Public\'
ParentCommandLine|contains: ':\Windows\Temp\'
ParentCommandLine|contains: '\AppData\Local\Temp'
ParentCommandLine|contains: '\AppData\Roaming\'
ParentCommandLine|contains: '\Temporary Internet'

Stage 3: `1 of selection_parent_path_2`

or:
ParentCommandLine|contains: ':\Users\'
ParentCommandLine|contains: '\Contacts\'
ParentCommandLine|contains: ':\Users\'
ParentCommandLine|contains: '\Favorites\'
ParentCommandLine|contains: ':\Users\'
ParentCommandLine|contains: '\Favourites\'

Stage 4: `selection_parent_ext`

or:
ParentCommandLine|contains: .bat
ParentCommandLine|contains: .chm
ParentCommandLine|contains: .cmd
ParentCommandLine|contains: .hta
ParentCommandLine|contains: .htm
ParentCommandLine|contains: .html
ParentCommandLine|contains: .js
ParentCommandLine|contains: .lnk
ParentCommandLine|contains: .ps1
ParentCommandLine|contains: .vbe
ParentCommandLine|contains: .vbs
ParentCommandLine|contains: .wsf

Stage 5: `selection_cli`

or:
CommandLine|contains: --healthcheck
CommandLine|contains: '--level Full'
CommandLine|contains: --healthcheck
CommandLine|contains: '--server '
CommandLine|contains: --no-enum-limit
CommandLine|contains: '--scanner aclcheck'
CommandLine|contains: '--scanner antivirus'
CommandLine|contains: '--scanner computerversion'
CommandLine|contains: '--scanner foreignusers'
CommandLine|contains: '--scanner laps_bitlocker'
CommandLine|contains: '--scanner localadmin'
CommandLine|contains: '--scanner nullsession'
CommandLine|contains: '--scanner nullsession-trust'
CommandLine|contains: '--scanner oxidbindings'
CommandLine|contains: '--scanner remote'
CommandLine|contains: '--scanner share'
CommandLine|contains: '--scanner smb'
CommandLine|contains: '--scanner smb3querynetwork'
CommandLine|contains: '--scanner spooler'
CommandLine|contains: '--scanner startup'
CommandLine|contains: '--scanner zerologon'
Image|endswith: '\PingCastle.exe'
OriginalFileName: PingCastle.exe
Product: 'Ping Castle'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`--healthcheck` corpus 3 (sigma 3) `--level Full` corpus 3 (sigma 3) `--no-enum-limit` corpus 3 (sigma 3) `--scanner aclcheck` corpus 3 (sigma 3) `--scanner antivirus` corpus 3 (sigma 3) `--scanner computerversion` corpus 3 (sigma 3) `--scanner foreignusers` corpus 3 (sigma 3) `--scanner laps_bitlocker` corpus 3 (sigma 3) `--scanner localadmin` corpus 3 (sigma 3) `--scanner nullsession` corpus 3 (sigma 3) `--scanner nullsession-trust` corpus 3 (sigma 3) `--scanner oxidbindings` corpus 3 (sigma 3) `--scanner remote` corpus 3 (sigma 3) `--scanner share` corpus 3 (sigma 3) `--scanner smb` corpus 3 (sigma 3) `--scanner smb3querynetwork` corpus 3 (sigma 3) `--scanner spooler` corpus 3 (sigma 3) `--scanner startup` corpus 3 (sigma 3) `--scanner zerologon` corpus 3 (sigma 3) `--server` corpus 3 (sigma 3)
`Image`	ends_with	`\PingCastle.exe` corpus 3 (sigma 3)
`OriginalFileName`	eq	`PingCastle.exe` corpus 3 (sigma 3)
`ParentCommandLine`	match	`.bat` `.chm` `.cmd` `.hta` `.htm` `.html` `.js` `.lnk` corpus 2 (sigma 2) `.ps1` `.vbe` `.vbs` `.wsf` `:\Perflogs\` `:\Temp\` `:\Users\` corpus 3 (sigma 3) `:\Users\Public\` corpus 2 (sigma 2) `:\Windows\Temp\` corpus 2 (sigma 2) `\AppData\Local\Temp` `\AppData\Roaming\` `\Contacts\` corpus 2 (sigma 2) `\Favorites\` corpus 2 (sigma 2) `\Favourites\` corpus 2 (sigma 2) `\Temporary Internet` corpus 2 (sigma 2)
`Product`	eq	`Ping Castle` corpus 2 (sigma 2)

PUA - PingCastle Execution From Potentially Suspicious Parent

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: 1 of selection_parent_ext

Stage 2: 1 of selection_parent_path_1

Stage 3: 1 of selection_parent_path_2