Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

PUA - PingCastle Execution From Potentially Suspicious Parent

Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)Created Thu Jan 11b37998de-a70b-4f33-b219-ec36bf433dc0windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic4 selectors
detection:
    selection_parent_ext:
        ParentCommandLine|contains:
            - '.bat'
            - '.chm'
            - '.cmd'
            - '.hta'
            - '.htm'
            - '.html'
            - '.js'
            - '.lnk'
            - '.ps1'
            - '.vbe'
            - '.vbs'
            - '.wsf'
    selection_parent_path_1:
        ParentCommandLine|contains:
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp'
            - '\AppData\Roaming\'
            - '\Temporary Internet'
    selection_parent_path_2:
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Contacts\'
    selection_cli:
        - Image|endswith: '\PingCastle.exe'
        - OriginalFileName: PingCastle.exe
        - Product: 'Ping Castle'
        - CommandLine|contains:
              - '--scanner aclcheck'
              - '--scanner antivirus'
              - '--scanner computerversion'
              - '--scanner foreignusers'
              - '--scanner laps_bitlocker'
              - '--scanner localadmin'
              - '--scanner nullsession'
              - '--scanner nullsession-trust'
              - '--scanner oxidbindings'
              - '--scanner remote'
              - '--scanner share'
              - '--scanner smb'
              - '--scanner smb3querynetwork'
              - '--scanner spooler'
              - '--scanner startup'
              - '--scanner zerologon'
        - CommandLine|contains: '--no-enum-limit'
        - CommandLine|contains|all:
              - '--healthcheck'
              - '--level Full'
        - CommandLine|contains|all:
              - '--healthcheck'
              - '--server '
    condition: 1 of selection_parent_* and selection_parent_ext and selection_cli
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
2
Resolving title…
thedfirreport.com
3
Resolving title…
github.com
4
Resolving title…
github.com
5
Resolving title…
github.com
6
Resolving title…
github.com
7
Resolving title…
github.com
MITRE ATT&CK
Related Rules
DerivedDetectionmedium

PUA - PingCastle Execution

Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
b37998de-a70b-4f33-b219-ec36bf433dc0
Status
test
Level
high
Type
Detection
Created
Thu Jan 11
Author
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml
Raw Tags
attack.reconnaissanceattack.t1595
View on GitHub