← Back to Explore
sigmahighHunting
Suspicious SYSTEM User Process Creation
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Detection Query
selection:
IntegrityLevel:
- System
- S-1-16-16384
User|contains:
- AUTHORI
- AUTORI
selection_special:
- Image|endswith:
- \calc.exe
- \cscript.exe
- \forfiles.exe
- \hh.exe
- \mshta.exe
- \ping.exe
- \wscript.exe
- CommandLine|re: net\s+user\s+
- CommandLine|contains:
- " -NoP "
- " -W Hidden "
- " -decode "
- " /decode "
- " /urlcache "
- " -urlcache "
- " -e* JAB"
- " -e* SUVYI"
- " -e* SQBFAFgA"
- " -e* aWV4I"
- " -e* IAB"
- " -e* PAA"
- " -e* aQBlAHgA"
- vssadmin delete shadows
- reg SAVE HKLM
- " -ma "
- Microsoft\Windows\CurrentVersion\Run
- .downloadstring(
- .downloadfile(
- " /ticket:"
- "dpapi::"
- event::clear
- event::drop
- id::modify
- "kerberos::"
- "lsadump::"
- "misc::"
- "privilege::"
- "rpc::"
- "sekurlsa::"
- "sid::"
- "token::"
- vault::cred
- vault::list
- " p::d "
- ;iex(
- MiniDump
filter_main_ping:
CommandLine|contains|all:
- ping
- 127.0.0.1
- " -n "
filter_vs:
Image|endswith: \PING.EXE
ParentCommandLine|contains: \DismFoDInstall.cmd
filter_config_mgr:
ParentImage|contains: :\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
filter_java:
ParentImage|contains:
- :\Program Files (x86)\Java\
- :\Program Files\Java\
ParentImage|endswith: \bin\javaws.exe
Image|contains:
- :\Program Files (x86)\Java\
- :\Program Files\Java\
Image|endswith: \bin\jp2launcher.exe
CommandLine|contains: " -ma "
condition: all of selection* and not 1 of filter_*
Author
Florian Roth (Nextron Systems), David ANDRE (additional keywords)
Created
2021-12-20
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.credential-accessattack.defense-evasionattack.privilege-escalationattack.t1134attack.t1003attack.t1027
Raw Content
title: Suspicious SYSTEM User Process Creation
id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
status: test
description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
references:
- Internal Research
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2021-12-20
modified: 2025-10-19
tags:
- attack.credential-access
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1134
- attack.t1003
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_special:
- Image|endswith:
- '\calc.exe'
- '\cscript.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mshta.exe'
- '\ping.exe'
- '\wscript.exe'
- CommandLine|re: 'net\s+user\s+'
- CommandLine|contains:
# - 'sc stop ' # stops a system service # causes FPs
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' -decode ' # Used with certutil
- ' /decode ' # Used with certutil
- ' /urlcache ' # Used with certutil
- ' -urlcache ' # Used with certutil
- ' -e* JAB' # PowerShell encoded commands
- ' -e* SUVYI' # PowerShell encoded commands
- ' -e* SQBFAFgA' # PowerShell encoded commands
- ' -e* aWV4I' # PowerShell encoded commands
- ' -e* IAB' # PowerShell encoded commands
- ' -e* PAA' # PowerShell encoded commands
- ' -e* aQBlAHgA' # PowerShell encoded commands
- 'vssadmin delete shadows' # Ransomware
- 'reg SAVE HKLM' # save registry SAM - syskey extraction
- ' -ma ' # ProcDump
- 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
- '.downloadstring(' # PowerShell download command
- '.downloadfile(' # PowerShell download command
- ' /ticket:' # Rubeus
- 'dpapi::' # Mimikatz
- 'event::clear' # Mimikatz
- 'event::drop' # Mimikatz
- 'id::modify' # Mimikatz
- 'kerberos::' # Mimikatz
- 'lsadump::' # Mimikatz
- 'misc::' # Mimikatz
- 'privilege::' # Mimikatz
- 'rpc::' # Mimikatz
- 'sekurlsa::' # Mimikatz
- 'sid::' # Mimikatz
- 'token::' # Mimikatz
- 'vault::cred' # Mimikatz
- 'vault::list' # Mimikatz
- ' p::d ' # Mimikatz
- ';iex(' # PowerShell IEX
- 'MiniDump' # Process dumping method apart from procdump
filter_main_ping:
CommandLine|contains|all:
- 'ping'
- '127.0.0.1'
- ' -n '
filter_vs:
Image|endswith: '\PING.EXE'
ParentCommandLine|contains: '\DismFoDInstall.cmd'
filter_config_mgr:
ParentImage|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
filter_java:
ParentImage|contains:
- ':\Program Files (x86)\Java\'
- ':\Program Files\Java\'
ParentImage|endswith: '\bin\javaws.exe'
Image|contains:
- ':\Program Files (x86)\Java\'
- ':\Program Files\Java\'
Image|endswith: '\bin\jp2launcher.exe'
CommandLine|contains: ' -ma '
condition: all of selection* and not 1 of filter_*
falsepositives:
- Administrative activity
- Scripts and administrative tools used in the monitored environment
- Monitoring activity
level: high