Sigma
Sigma rules for xCmd
3 rules · scoped to tool · back to xCmd
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
◈
Detection rules
3 of 3
direct
high
Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
view Sigma YAML
title: Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
id: 236d8e89-ed95-4789-a982-36f4643738ba
related:
- id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d
type: derived
status: test
description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
references:
- https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-14
tags:
- attack.execution
- attack.persistence
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_bin_img:
- Image|endswith: '\VMwareToolBoxCmd.exe'
- OriginalFileName: 'toolbox-cmd.exe'
selection_bin_cli:
CommandLine|contains|all:
- ' script '
- ' set '
selection_susp_paths:
CommandLine|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
direct
high
PUA - RunXCmd Execution
Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
view Sigma YAML
title: PUA - RunXCmd Execution
id: 93199800-b52a-4dec-b762-75212c196542
status: test
description: Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
references:
- https://www.d7xtech.com/free-software/runx/
- https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth (Nextron Systems)
date: 2022-01-24
modified: 2023-02-14
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: process_creation
product: windows
detection:
selection_account:
CommandLine|contains:
- ' /account=system '
- ' /account=ti '
selection_exec:
CommandLine|contains: '/exec='
condition: all of selection_*
falsepositives:
- Legitimate use by administrators
level: high
direct
medium
Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
view Sigma YAML
title: Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d
related:
- id: 236d8e89-ed95-4789-a982-36f4643738ba
type: derived
status: test
description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
references:
- https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-14
tags:
- attack.execution
- attack.persistence
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\VMwareToolBoxCmd.exe'
- OriginalFileName: 'toolbox-cmd.exe'
selection_cli:
CommandLine|contains|all:
- ' script '
- ' set '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Showing 1-3 of 3