← Back to Explore
sigmahighHunting
Suspicious GrpConv Execution
Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
Detection Query
selection:
CommandLine|contains:
- grpconv.exe -o
- grpconv -o
condition: selection
Author
Florian Roth (Nextron Systems)
Created
2022-05-19
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.privilege-escalationattack.persistenceattack.t1547
Raw Content
title: Suspicious GrpConv Execution
id: f14e169e-9978-4c69-acb3-1cff8200bc36
status: test
description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
references:
- https://twitter.com/0gtweet/status/1526833181831200770
author: Florian Roth (Nextron Systems)
date: 2022-05-19
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'grpconv.exe -o'
- 'grpconv -o'
condition: selection
falsepositives:
- Unknown
level: high