Detectionhightest

Renamed Vmnat.exe Execution

Detects renamed vmnat.exe or portable version that can be used for DLL side-loading

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

elhoimCreated Fri Sep 09Updated Fri Feb 037b4f794b-590a-4ad4-ba18-7964a2832205windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        OriginalFileName: 'vmnat.exe'
    filter_rename:
        Image|endswith: 'vmnat.exe'
    condition: selection and not 1 of filter_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

twitter.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0005 · Defense Evasion

Sub-techniques

T1574.001 · DLL Search Order Hijacking

Rule Metadata

Rule ID

7b4f794b-590a-4ad4-ba18-7964a2832205

Status

test

Level

high

Type

Detection

Created

Fri Sep 09

Modified

Fri Feb 03

Author

elhoim

Path

rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001

View on GitHub