Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threathightest

PaperCut MF/NG Exploitation Related Indicators

Detects exploitation indicators related to PaperCut MF/NG Exploitation

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Apr 25de1bd0b6-6d59-417c-86d9-a44114aede3b2023
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_1:
        CommandLine|contains|all:
            - ' /c '
            - 'powershell'
            - '-nop -w hidden'
            - 'Invoke-WebRequest'
            - 'setup.msi'
            - '-OutFile'
    selection_2:
        CommandLine|contains|all:
            - 'msiexec '
            - '/i '
            - 'setup.msi '
            - '/qn '
            - 'IntegratorLogin=fimaribahundq'
    condition: 1 of selection_*
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
huntress.com
2
Resolving title…
papercut.com
MITRE ATT&CK

Other

detection.emerging-threats
Rule Metadata
Rule ID
de1bd0b6-6d59-417c-86d9-a44114aede3b
Status
test
Level
high
Type
Emerging Threat
Created
Tue Apr 25
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml
Raw Tags
attack.executiondetection.emerging-threats
View on GitHub