From 951ad8c453fdb495c16353be4dc3e1d7f85fdefb Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 12 Nov 2022 08:33:21 +0100
Subject: [PATCH] rule: suspicious command line flags

---
 ...creation_win_susp_command_flag_pattern.yml | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml

diff --git a/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml b/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml
new file mode 100644
index 000000000..269a8ab07
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml
@@ -0,0 +1,36 @@
+title: Suspicious RunAs-Like Flag Combination
+id: 50d66fb0-03f8-4da0-8add-84e77d12a020
+status: experimental
+description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
+references:
+    - https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
+author: Florian Roth
+date: 2022/11/11
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_user:
+        CommandLine|contains:
+            - ' -u system '
+            - ' --user system '
+            - ' -u NT'
+            - ' -u "NT'
+            - " -u 'NT"
+            - ' --system '
+            - ' -u administrator '
+    selection_command:
+        CommandLine|contains:
+            - ' -c cmd'
+            - ' -c "cmd'
+            - ' -c powershell'
+            - ' -c "powershell'
+            - ' --command cmd'
+            - ' --command powershell'
+            - ' -c whoami'
+            - ' -c wscript'
+            - ' -c cscript'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium