Suspicious SYSTEM User Process Creation

Severity: high
Author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
Source: upstream

Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1134` Access Token Manipulation
Defense Evasion	`T1027` Obfuscated Files or Information, `T1134` Access Token Manipulation
Credential Access	`T1003` OS Credential Dumping

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection`

IntegrityLevel: [S-1-16-16384, System]
or:
User|contains: AUTHORI
User|contains: AUTORI

Stage 2: `all of selection_special`

or:
CommandLine|contains: ' -NoP '
CommandLine|contains: ' -W Hidden '
CommandLine|contains: ' -decode '
CommandLine|contains: ' -e* IAB'
CommandLine|contains: ' -e* JAB'
CommandLine|contains: ' -e* PAA'
CommandLine|contains: ' -e* SQBFAFgA'
CommandLine|contains: ' -e* SUVYI'
CommandLine|contains: ' -e* aQBlAHgA'
CommandLine|contains: ' -e* aWV4I'
CommandLine|contains: ' -ma '
CommandLine|contains: ' -urlcache '
CommandLine|contains: ' /decode '
CommandLine|contains: ' /ticket:'
CommandLine|contains: ' /urlcache '
CommandLine|contains: ' p::d '
CommandLine|contains: '.downloadfile('
CommandLine|contains: '.downloadstring('
CommandLine|contains: ';iex('
CommandLine|contains: 'Microsoft\Windows\CurrentVersion\Run'
CommandLine|contains: MiniDump
CommandLine|contains: 'dpapi::'
CommandLine|contains: 'event::clear'
CommandLine|contains: 'event::drop'
CommandLine|contains: 'id::modify'
CommandLine|contains: 'kerberos::'
CommandLine|contains: 'lsadump::'
CommandLine|contains: 'misc::'
CommandLine|contains: 'privilege::'
CommandLine|contains: 'reg SAVE HKLM'
CommandLine|contains: 'rpc::'
CommandLine|contains: 'sekurlsa::'
CommandLine|contains: 'sid::'
CommandLine|contains: 'token::'
CommandLine|contains: 'vault::cred'
CommandLine|contains: 'vault::list'
CommandLine|contains: 'vssadmin delete shadows'
CommandLine|re: 'net\s+user\s+'
Image|endswith: '\calc.exe'
Image|endswith: '\cscript.exe'
Image|endswith: '\forfiles.exe'
Image|endswith: '\hh.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\ping.exe'
Image|endswith: '\wscript.exe'

Stage 3: `not 1 of filter_*`

or:
or:
Image|contains: ':\Program Files (x86)\Java\'
Image|contains: ':\Program Files\Java\'
or:
ParentImage|contains: ':\Program Files (x86)\Java\'
ParentImage|contains: ':\Program Files\Java\'
CommandLine|contains: ' -ma '
Image|endswith: '\bin\jp2launcher.exe'
ParentImage|endswith: '\bin\javaws.exe'
CommandLine|contains: ' -n '
CommandLine|contains: 127.0.0.1
CommandLine|contains: ping
Image|endswith: '\PING.EXE'
ParentCommandLine|contains: '\DismFoDInstall.cmd'
ParentImage|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`-NoP` corpus 2 (sigma 2) `-W Hidden` corpus 2 (sigma 2) `-decode` corpus 4 (sigma 4) `-e* IAB` `-e* JAB` `-e* PAA` `-e* SQBFAFgA` `-e* SUVYI` `-e* aQBlAHgA` `-e* aWV4I` `-ma` corpus 4 (sigma 4) `-n` corpus 5 (sigma 5) `-urlcache` `/decode` corpus 2 (sigma 2) `/ticket:` corpus 2 (sigma 2) `/urlcache` `p::d` `.downloadfile(` corpus 3 (sigma 3) `.downloadstring(` corpus 3 (sigma 3) `127.0.0.1` corpus 2 (sigma 2) `;iex(` `Microsoft\Windows\CurrentVersion\Run` `MiniDump` corpus 3 (sigma 3) `dpapi::` corpus 2 (sigma 2) `event::clear` `event::drop` `id::modify` `kerberos::` corpus 2 (sigma 2) `lsadump::` corpus 2 (sigma 2) `misc::` `ping` corpus 4 (sigma 4) `privilege::` corpus 2 (sigma 2) `reg SAVE HKLM` `rpc::` corpus 2 (sigma 2) `sekurlsa::` corpus 2 (sigma 2) `sid::` `token::` corpus 2 (sigma 2) `vault::cred` `vault::list` `vssadmin delete shadows`
`CommandLine`	regex_match	`net\s+user\s+`
`Image`	ends_with	`\PING.EXE` `\bin\jp2launcher.exe` `\calc.exe` corpus 13 (sigma 13) `\cscript.exe` corpus 64 (sigma 64) `\forfiles.exe` corpus 11 (sigma 11) `\hh.exe` corpus 14 (sigma 14) `\mshta.exe` corpus 57 (sigma 57) `\ping.exe` corpus 6 (sigma 6) `\wscript.exe` corpus 64 (sigma 64)
`Image`	match	`:\Program Files (x86)\Java\` `:\Program Files\Java\`
`IntegrityLevel`	eq	`S-1-16-16384` corpus 21 (sigma 21) `System` corpus 21 (sigma 21)
`ParentCommandLine`	match	`\DismFoDInstall.cmd`
`ParentImage`	ends_with	`\bin\javaws.exe`
`ParentImage`	match	`:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\` `:\Program Files (x86)\Java\` `:\Program Files\Java\`
`User`	match	`AUTHORI` corpus 16 (sigma 16) `AUTORI` corpus 16 (sigma 16)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Suspicious Child Process Created as System [sigma] (adds 3 filters) (first-stage match only; downstream stages may differ)