From 507a0649f3e7c0c859ea3e8dd1fee9140ca00614 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 7 Dec 2021 07:34:18 +0100
Subject: [PATCH] rule: suspicious process creation as SYSTEM user

---
 .../win_susp_system_user_anomaly.yml          | 61 +++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_system_user_anomaly.yml

diff --git a/rules/windows/process_creation/win_susp_system_user_anomaly.yml b/rules/windows/process_creation/win_susp_system_user_anomaly.yml
new file mode 100644
index 000000000..4b644b0dd
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_system_user_anomaly.yml
@@ -0,0 +1,61 @@
+title: Suspicious SYSTEM User Process Creation
+id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
+status: experimental
+description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
+references:
+    - Internal Research
+author: Florian Roth
+date: 2021/12/07
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        IntegrityLevel: System
+        User|contains|all: # covers many language settings
+            - 'AUT'
+            - 'SYSTEM' 
+    selection_special:
+        - Image|endswith:
+            - '\calc.exe'
+            - '\wscript.exe'
+            - '\cscript.exe'
+            - '\schtasks.exe'
+            - '\hh.exe'
+            - '\mshta.exe'
+            - '\forfiles.exe'
+            - '\ping.exe'
+        - CommandLine|contains:
+            - 'sc stop ' # stops a system service
+            - ' -NoP '  # Often used in malicious PowerShell commands
+            - ' -W Hidden '  # Often used in malicious PowerShell commands
+            - ' -decode '  # Used with certutil
+            - ' /decode '  # Used with certutil
+            - ' /urlcache '  # Used with certutil
+            - ' -urlcache '  # Used with certutil
+            - ' -e* JAB'  # PowerShell encoded commands
+            - ' -e* SUVYI'  # PowerShell encoded commands
+            - ' -e* SQBFAFgA'  # PowerShell encoded commands
+            - ' -e* aWV4I'  # PowerShell encoded commands
+            - ' -e* IAB'  # PowerShell encoded commands
+            - ' -e* PAA'  # PowerShell encoded commands
+            - ' -e* aQBlAHgA'  # PowerShell encoded commands
+            - 'vssadmin delete shadows'  # Ransomware
+            - 'reg SAVE HKLM'  # save registry SAM - syskey extraction
+            - ' -ma '  # ProcDump
+            - 'Microsoft\Windows\CurrentVersion\Run'  # Run key in command line - often in combination with REG ADD
+            - '.downloadstring('  # PowerShell download command
+            - '.downloadfile('  # PowerShell download command
+            - ' /ticket:'  # Rubeus
+            - ' sekurlsa'  # Mimikatz
+            - ' p::d '  # Mimikatz 
+            - ';iex('  # PowerShell IEX
+            - 'schtasks* /create'  # Scheduled task creation
+            - 'MiniDump'  # Process dumping method apart from procdump
+            - 'net user '
+    condition: all of selection*
+falsepositives:
+    - Administrative activity
+    - Scripts and administrative tools used in the monitored environment
+    - Monitoring activity
+level: high