← Back to Explore
sigmamediumHunting
Sysprep on AppData Folder
Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
Detection Query
selection:
Image|endswith: \sysprep.exe
CommandLine|contains: \AppData\
condition: selection
Author
Florian Roth (Nextron Systems)
Created
2018-06-22
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1059
Raw Content
title: Sysprep on AppData Folder
id: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e
status: test
description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
references:
- https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
- https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b
author: Florian Roth (Nextron Systems)
date: 2018-06-22
modified: 2021-11-27
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sysprep.exe'
CommandLine|contains: '\AppData\'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium