detection.wiki

Detection rules › Sigma

Renamed PingCastle Binary Execution

Severity
high
Author
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
Source
upstream

Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059 Command and Scripting Interpreter
Defense EvasionT1202 Indirect Command Execution

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection

or:
CommandLine|contains: --healthcheck
CommandLine|contains: '--level Full'
CommandLine|contains: --healthcheck
CommandLine|contains: '--server '
CommandLine|contains: --no-enum-limit
CommandLine|contains: '--scanner aclcheck'
CommandLine|contains: '--scanner antivirus'
CommandLine|contains: '--scanner computerversion'
CommandLine|contains: '--scanner foreignusers'
CommandLine|contains: '--scanner laps_bitlocker'
CommandLine|contains: '--scanner localadmin'
CommandLine|contains: '--scanner nullsession'
CommandLine|contains: '--scanner nullsession-trust'
CommandLine|contains: '--scanner oxidbindings'
CommandLine|contains: '--scanner remote'
CommandLine|contains: '--scanner share'
CommandLine|contains: '--scanner smb'
CommandLine|contains: '--scanner smb3querynetwork'
CommandLine|contains: '--scanner spooler'
CommandLine|contains: '--scanner startup'
CommandLine|contains: '--scanner zerologon'
OriginalFileName: PingCastle.exe
OriginalFileName: PingCastleCloud.exe
OriginalFileName: PingCastleReporting.exe

Stage 2: not 1 of filter_main_img

or:
Image|endswith: '\PingCastle.exe'
Image|endswith: '\PingCastleCloud.exe'
Image|endswith: '\PingCastleReporting.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • --healthcheck corpus 3 (sigma 3)
  • --level Full corpus 3 (sigma 3)
  • --no-enum-limit corpus 3 (sigma 3)
  • --scanner aclcheck corpus 3 (sigma 3)
  • --scanner antivirus corpus 3 (sigma 3)
  • --scanner computerversion corpus 3 (sigma 3)
  • --scanner foreignusers corpus 3 (sigma 3)
  • --scanner laps_bitlocker corpus 3 (sigma 3)
  • --scanner localadmin corpus 3 (sigma 3)
  • --scanner nullsession corpus 3 (sigma 3)
  • --scanner nullsession-trust corpus 3 (sigma 3)
  • --scanner oxidbindings corpus 3 (sigma 3)
  • --scanner remote corpus 3 (sigma 3)
  • --scanner share corpus 3 (sigma 3)
  • --scanner smb corpus 3 (sigma 3)
  • --scanner smb3querynetwork corpus 3 (sigma 3)
  • --scanner spooler corpus 3 (sigma 3)
  • --scanner startup corpus 3 (sigma 3)
  • --scanner zerologon corpus 3 (sigma 3)
  • --server corpus 3 (sigma 3)
Imageends_with
  • \PingCastle.exe corpus 3 (sigma 3)
  • \PingCastleCloud.exe
  • \PingCastleReporting.exe
OriginalFileNameeq
  • PingCastle.exe corpus 3 (sigma 3)
  • PingCastleCloud.exe
  • PingCastleReporting.exe