Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Suspicious RunAs-Like Flag Combination

Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Fri Nov 1150d66fb0-03f8-4da0-8add-84e77d12a020windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_user:
        CommandLine|contains:
            - ' -u system '
            - ' --user system '
            - ' -u NT'
            - ' -u "NT'
            - " -u 'NT"
            - ' --system '
            - ' -u administrator '
    selection_command:
        CommandLine|contains:
            - ' -c cmd'
            - ' -c "cmd'
            - ' -c powershell'
            - ' -c "powershell'
            - ' --command cmd'
            - ' --command powershell'
            - ' -c whoami'
            - ' -c wscript'
            - ' -c cscript'
    condition: all of selection*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
trendmicro.com
MITRE ATT&CK
Rule Metadata
Rule ID
50d66fb0-03f8-4da0-8add-84e77d12a020
Status
test
Level
medium
Type
Detection
Created
Fri Nov 11
Author
Florian Roth (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml
Raw Tags
attack.privilege-escalation
View on GitHub