EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Potentially Suspicious Execution Of PDQDeployRunner

Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines

Detection Query

selection_parent:
  ParentImage|contains: \PDQDeployRunner-
selection_child:
  - Image|endswith:
      - \bash.exe
      - \certutil.exe
      - \cmd.exe
      - \csc.exe
      - \cscript.exe
      - \dllhost.exe
      - \mshta.exe
      - \msiexec.exe
      - \regsvr32.exe
      - \rundll32.exe
      - \scriptrunner.exe
      - \wmic.exe
      - \wscript.exe
      - \wsl.exe
  - Image|contains:
      - :\ProgramData\
      - :\Users\Public\
      - :\Windows\TEMP\
      - \AppData\Local\Temp
  - CommandLine|contains:
      - " -decode "
      - " -enc "
      - " -encodedcommand "
      - " -w hidden"
      - DownloadString
      - FromBase64String
      - http
      - "iex "
      - Invoke-
condition: all of selection_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-07-22

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.execution
Raw Content
title: Potentially Suspicious Execution Of PDQDeployRunner
id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
related:
    - id: d679950c-abb7-43a6-80fb-2a480c4fc450
      type: similar
status: test
description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
references:
    - https://twitter.com/malmoeb/status/1550483085472432128
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
modified: 2024-05-02
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|contains: '\PDQDeployRunner-'
    selection_child:
        # Improve this section by adding other suspicious processes, commandlines or paths
        - Image|endswith:
              # If you use any of the following processes legitimately comment them out
              - '\bash.exe'
              - '\certutil.exe'
              - '\cmd.exe'
              - '\csc.exe'
              - '\cscript.exe'
              - '\dllhost.exe'
              - '\mshta.exe'
              - '\msiexec.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\scriptrunner.exe'
              - '\wmic.exe'
              - '\wscript.exe'
              - '\wsl.exe'
        - Image|contains:
              - ':\ProgramData\'
              - ':\Users\Public\'
              - ':\Windows\TEMP\'
              - '\AppData\Local\Temp'
        - CommandLine|contains:
              - ' -decode '
              - ' -enc '
              - ' -encodedcommand '
              - ' -w hidden'
              - 'DownloadString'
              - 'FromBase64String'
              - 'http'
              - 'iex '
              - 'Invoke-'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the PDQDeploy tool to execute these commands
level: medium