Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

PUA - PingCastle Execution

Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems), François HubautCreated Thu Jan 11b1cb4ab6-ac31-43f4-adf1-d9d08957419cwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        - Hashes|contains:
              # PingCastle.exe
              - 'MD5=f741f25ac909ee434e50812d436c73ff'
              - 'MD5=d40acbfc29ee24388262e3d8be16f622'
              - 'MD5=01bb2c16fadb992fa66228cd02d45c60'
              - 'MD5=9e1b18e62e42b5444fc55b51e640355b'
              - 'MD5=b7f8fe33ac471b074ca9e630ba0c7e79'
              - 'MD5=324579d717c9b9b8e71d0269d13f811f'
              - 'MD5=63257a1ddaf83cfa43fe24a3bc06c207'
              - 'MD5=049e85963826b059c9bac273bb9c82ab'
              - 'MD5=ecb98b7b4d4427eb8221381154ff4cb2'
              - 'MD5=faf87749ac790ec3a10dd069d10f9d63'
              - 'MD5=f296dba5d21ad18e6990b1992aea8f83'
              - 'MD5=93ba94355e794b6c6f98204cf39f7a11'
              - 'MD5=a258ef593ac63155523a461ecc73bdba'
              - 'MD5=97000eb5d1653f1140ee3f47186463c4'
              - 'MD5=95eb317fbbe14a82bd9fdf31c48b8d93'
              - 'MD5=32fe9f0d2630ac40ea29023920f20f49'
              - 'MD5=a05930dde939cfd02677fc18bb2b7df5'
              - 'MD5=124283924e86933ff9054a549d3a268b'
              - 'MD5=ceda6909b8573fdeb0351c6920225686'
              - 'MD5=60ce120040f2cd311c810ae6f6bbc182'
              - 'MD5=2f10cdc5b09100a260703a28eadd0ceb'
              - 'MD5=011d967028e797a4c16d547f7ba1463f'
              - 'MD5=2da9152c0970500c697c1c9b4a9e0360'
              - 'MD5=b5ba72034b8f44d431f55275bace9f8b'
              - 'MD5=d6ed9101df0f24e27ff92ddab42dacca'
              - 'MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d'
              - 'MD5=5e083cd0143ae95a6cb79b68c07ca573'
              - 'MD5=28caff93748cb84be70486e79f04c2df'
              - 'MD5=9d4f12c30f9b500f896efd1800e4dd11'
              - 'MD5=4586f7dd14271ad65a5fb696b393f4c0'
              - 'MD5=86ba9dddbdf49215145b5bcd081d4011'
              - 'MD5=9dce0a481343874ef9a36c9a825ef991'
              - 'MD5=85890f62e231ad964b1fda7a674747ec'
              - 'MD5=599be548da6441d7fe3e9a1bb8cb0833'
              - 'MD5=9b0c7fd5763f66e9b8c7b457fce53f96'
              - 'MD5=32d45718164205aec3e98e0223717d1d'
              - 'MD5=6ff5f373ee7f794cd17db50704d00ddb'
              - 'MD5=88efbdf41f0650f8f58a3053b0ca0459'
              - 'MD5=ef915f61f861d1fb7cbde9afd2e7bd93'
              - 'MD5=781fa16511a595757154b4304d2dd350'
              - 'MD5=5018ec39be0e296f4fc8c8575bfa8486'
              - 'MD5=f4a84d6f1caf0875b50135423d04139f'
              - 'SHA1=9c1431801fa6342ed68f047842b9a11778fc669b'
              - 'SHA1=c36c862f40dad78cb065197aad15fef690c262f2'
              - 'SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d'
              - 'SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f'
              - 'SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa'
              - 'SHA1=f14c9633040897d375e3069fddc71e859f283778'
              - 'SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc'
              - 'SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937'
              - 'SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36'
              - 'SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b'
              - 'SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc'
              - 'SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11'
              - 'SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995'
              - 'SHA1=607e1fa810c799735221a609af3bfc405728c02d'
              - 'SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3'
              - 'SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a'
              - 'SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491'
              - 'SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178'
              - 'SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4'
              - 'SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84'
              - 'SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea'
              - 'SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17'
              - 'SHA1=81d67b3d70c4e855cb11a453cc32997517708362'
              - 'SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad'
              - 'SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2'
              - 'SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92'
              - 'SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1'
              - 'SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a'
              - 'SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db'
              - 'SHA1=3150f14508ee4cae19cf09083499d1cda8426540'
              - 'SHA1=036ad9876fa552b1298c040e233d620ea44689c6'
              - 'SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5'
              - 'SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c'
              - 'SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d'
              - 'SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4'
              - 'SHA1=c82152cddf9e5df49094686531872ecd545976db'
              - 'SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61'
              - 'SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836'
              - 'SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719'
              - 'SHA1=34c0c5839af1c92bce7562b91418443a2044c90d'
              - 'SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08'
              - 'SHA1=3a515551814775df0ccbe09f219bc972eae45a10'
              - 'SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b'
              - 'SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85'
              - 'SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03'
              - 'SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795'
              - 'SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f'
              - 'SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a'
              - 'SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275'
              - 'SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b'
              - 'SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2'
              - 'SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae'
              - 'SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6'
              - 'SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a'
              - 'SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1'
              - 'SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559'
              - 'SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2'
              - 'SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef'
              - 'SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d'
              - 'SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524'
              - 'SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b'
              - 'SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b'
              - 'SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629'
              - 'SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358'
              - 'SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca'
              - 'SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea'
              - 'SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172'
              - 'SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4'
              - 'SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2'
              - 'SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66'
              - 'SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27'
              - 'SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41'
              - 'SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1'
              - 'SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0'
              - 'SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8'
              - 'SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d'
              - 'SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726'
              - 'SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90'
              - 'SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5'
              - 'SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140'
              - 'SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87'
              - 'SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892'
              - 'SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054'
              - 'SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd'
        - Image|endswith: '\PingCastle.exe'
        - OriginalFileName: PingCastle.exe
        - Product: 'Ping Castle'
        - CommandLine|contains:
              - '--scanner aclcheck'
              - '--scanner antivirus'
              - '--scanner computerversion'
              - '--scanner foreignusers'
              - '--scanner laps_bitlocker'
              - '--scanner localadmin'
              - '--scanner nullsession'
              - '--scanner nullsession-trust'
              - '--scanner oxidbindings'
              - '--scanner remote'
              - '--scanner share'
              - '--scanner smb'
              - '--scanner smb3querynetwork'
              - '--scanner spooler'
              - '--scanner startup'
              - '--scanner zerologon'
        - CommandLine|contains: '--no-enum-limit'
        - CommandLine|contains|all:
              - '--healthcheck'
              - '--level Full'
        - CommandLine|contains|all:
              - '--healthcheck'
              - '--server '
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
2
Resolving title…
thedfirreport.com
3
Resolving title…
github.com
4
Resolving title…
github.com
5
Resolving title…
github.com
6
Resolving title…
github.com
7
Resolving title…
github.com
MITRE ATT&CK
Related Rules
DerivedDetectionhigh

PUA - PingCastle Execution From Potentially Suspicious Parent

Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
b1cb4ab6-ac31-43f4-adf1-d9d08957419c
Status
test
Level
medium
Type
Detection
Created
Thu Jan 11
Author
Nasreddine Bencherchali (Nextron Systems), François Hubaut
Path
rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml
Raw Tags
attack.reconnaissanceattack.t1595
View on GitHub