title: Execution via stordiag.exe
id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34
status: experimental
description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
references:
    - https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
    - https://twitter.com/eral4m/status/1451112385041911809
tags:
    - attack.defense_evasion
    - attack.t1218
author: Austin Songer (@austinsonger)
date: 2021/10/21
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\stordiag.exe'
        Image|endswith:
            - '\schtasks.exe'
            - '\systeminfo.exe'
            - '\fltmc.exe'
    filter:
        ParentImage|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder"
            - 'c:\windows\system32\'
            - 'c:\windows\syswow64\'
    condition: selection and not filter
falsepositives:
    - Legitimate usage of stordiag.exe.
level: high