sigmahighHunting

Renamed Vmnat.exe Execution

Detects renamed vmnat.exe or portable version that can be used for DLL side-loading

MITRE ATT&CK

privilege-escalationpersistencedefense-evasion

Detection Query

selection:
  OriginalFileName: vmnat.exe
filter_rename:
  Image|endswith: vmnat.exe
condition: selection and not 1 of filter_*

Author

elhoim

Created

2022-09-09

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://twitter.com/malmoeb/status/1525901219247845376

Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001

Raw Content

title: Renamed Vmnat.exe Execution
id: 7b4f794b-590a-4ad4-ba18-7964a2832205
status: test
description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
references:
    - https://twitter.com/malmoeb/status/1525901219247845376
author: elhoim
date: 2022-09-09
modified: 2023-02-03
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.defense-evasion
    - attack.t1574.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName: 'vmnat.exe'
    filter_rename:
        Image|endswith: 'vmnat.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high