← Back to Explore
sigmahighHunting
PUA - NirCmd Execution As LOCAL SYSTEM
Detects the use of NirCmd tool for command execution as SYSTEM user
Detection Query
selection:
CommandLine|contains: " runassystem "
condition: selection
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Created
2022-01-24
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1569.002attack.s0029
Raw Content
title: PUA - NirCmd Execution As LOCAL SYSTEM
id: d9047477-0359-48c9-b8c7-792cedcdc9c4
status: test
description: Detects the use of NirCmd tool for command execution as SYSTEM user
references:
- https://www.nirsoft.net/utils/nircmd.html
- https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
- https://www.nirsoft.net/utils/nircmd2.html#using
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-24
modified: 2023-02-13
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ' runassystem '
condition: selection
falsepositives:
- Legitimate use by administrators
level: high