Detectionmediumtest
Potentially Suspicious Execution Of PDQDeployRunner
Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri Jul 22Updated Thu May 0212b8e9f5-96b2-41e1-9a42-8c6779a5c184windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_parent:
ParentImage|contains: '\PDQDeployRunner-'
selection_child:
# Improve this section by adding other suspicious processes, commandlines or paths
- Image|endswith:
# If you use any of the following processes legitimately comment them out
- '\bash.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\csc.exe'
- '\cscript.exe'
- '\dllhost.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\scriptrunner.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wsl.exe'
- Image|contains:
- ':\ProgramData\'
- ':\Users\Public\'
- ':\Windows\TEMP\'
- '\AppData\Local\Temp'
- CommandLine|contains:
- ' -decode '
- ' -enc '
- ' -encodedcommand '
- ' -w hidden'
- 'DownloadString'
- 'FromBase64String'
- 'http'
- 'iex '
- 'Invoke-'
condition: all of selection_*False Positives
Legitimate use of the PDQDeploy tool to execute these commands
References
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
12b8e9f5-96b2-41e1-9a42-8c6779a5c184
Status
test
Level
medium
Type
Detection
Created
Fri Jul 22
Modified
Thu May 02
Path
rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml
Raw Tags
attack.execution