Detectionhightest

PUA - RunXCmd Execution

Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Mon Jan 24Updated Tue Feb 1493199800-b52a-4dec-b762-75212c196542windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_account:
        CommandLine|contains:
            - ' /account=system '
            - ' /account=ti '
    selection_exec:
        CommandLine|contains: '/exec='
    condition: all of selection_*

False Positives

Legitimate use by administrators

References

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1569.002 · Service Execution

Software

S0029 · S0029

Rule Metadata

Rule ID

93199800-b52a-4dec-b762-75212c196542

Status

test

Level

high

Type

Detection

Created

Mon Jan 24

Modified

Tue Feb 14

Author

Florian Roth (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml

Raw Tags

attack.executionattack.t1569.002attack.s0029

View on GitHub