← Back to Explore
sigmahighHunting
Renamed Plink Execution
Detects the execution of a renamed version of the Plink binary
Detection Query
selection:
- OriginalFileName: Plink
- CommandLine|contains|all:
- " -l forward"
- " -P "
- " -R "
filter:
Image|endswith: \plink.exe
condition: selection and not filter
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-06-06
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1036
Raw Content
title: Renamed Plink Execution
id: 1c12727d-02bf-45ff-a9f3-d49806a3cf43
status: test
description: Detects the execution of a renamed version of the Plink binary
references:
- https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
- https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-06
modified: 2023-02-03
tags:
- attack.defense-evasion
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'Plink'
- CommandLine|contains|all:
- ' -l forward'
- ' -P '
- ' -R '
filter:
Image|endswith: '\plink.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high