sigmamediumHunting

PUA - AdvancedRun Execution

Detects the execution of AdvancedRun utility

MITRE ATT&CK

executiondefense-evasionprivilege-escalation

Detection Query

selection:
  - OriginalFileName: AdvancedRun.exe
  - CommandLine|contains|all:
      - " /EXEFilename "
      - " /Run"
  - CommandLine|contains|all:
      - " /WindowState 0"
      - " /RunAs "
      - " /CommandLine "
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2022-01-20

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.executionattack.defense-evasionattack.privilege-escalationattack.t1564.003attack.t1134.002attack.t1059.003

Raw Content

title: PUA - AdvancedRun Execution
id: d2b749ee-4225-417e-b20e-a8d2193cbb84
related:
    - id: fa00b701-44c6-4679-994d-5a18afa8a707
      type: similar
status: test
description: Detects the execution of AdvancedRun utility
references:
    - https://twitter.com/splinter_code/status/1483815103279603714
    - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
    - https://www.elastic.co/security-labs/operation-bleeding-bear
    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth (Nextron Systems)
date: 2022-01-20
modified: 2023-02-21
tags:
    - attack.execution
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1564.003
    - attack.t1134.002
    - attack.t1059.003
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - OriginalFileName: 'AdvancedRun.exe'
        - CommandLine|contains|all:
              - ' /EXEFilename '
              - ' /Run'
        - CommandLine|contains|all:
              - ' /WindowState 0'
              - ' /RunAs '
              - ' /CommandLine '
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun/info.yml