sigmahighHunting

Using SettingSyncHost.exe as LOLBin

Detects using SettingSyncHost.exe to run hijacked binary

MITRE ATT&CK

privilege-escalationpersistenceexecutiondefense-evasion

Detection Query

system_utility:
  Image|startswith:
    - C:\Windows\System32\
    - C:\Windows\SysWOW64\
parent_is_settingsynchost:
  ParentCommandLine|contains|all:
    - cmd.exe /c
    - RoamDiag.cmd
    - -outputpath
condition: not system_utility and parent_is_settingsynchost

Author

Anton Kutepov, oscd.community

Created

2020-02-05

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin

Tags

attack.privilege-escalationattack.persistenceattack.executionattack.defense-evasionattack.t1574.008

Raw Content

title: Using SettingSyncHost.exe as LOLBin
id: b2ddd389-f676-4ac4-845a-e00781a48e5f
status: test
description: Detects using SettingSyncHost.exe to run hijacked binary
references:
    - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
author: Anton Kutepov, oscd.community
date: 2020-02-05
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.defense-evasion
    - attack.t1574.008
logsource:
    category: process_creation
    product: windows
detection:
    system_utility:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    parent_is_settingsynchost:
        ParentCommandLine|contains|all:
            - 'cmd.exe /c'
            - 'RoamDiag.cmd'
            - '-outputpath'
    condition: not system_utility and parent_is_settingsynchost
falsepositives:
    - Unknown
level: high