Detects suspicious execution of “PDQDeployRunner” which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
title: Potentially Suspicious Execution Of PDQDeployRunner
id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
related:
- id: d679950c-abb7-43a6-80fb-2a480c4fc450
type: similar
status: test
description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
references:
- https://twitter.com/malmoeb/status/1550483085472432128
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
modified: 2024-05-02
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: '\PDQDeployRunner-'
selection_child:
# Improve this section by adding other suspicious processes, commandlines or paths
- Image|endswith:
# If you use any of the following processes legitimately comment them out
- '\bash.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\csc.exe'
- '\cscript.exe'
- '\dllhost.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\scriptrunner.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wsl.exe'
- Image|contains:
- ':\ProgramData\'
- ':\Users\Public\'
- ':\Windows\TEMP\'
- '\AppData\Local\Temp'
- CommandLine|contains:
- ' -decode '
- ' -enc '
- ' -encodedcommand '
- ' -w hidden'
- 'DownloadString'
- 'FromBase64String'
- 'http'
- 'iex '
- 'Invoke-'
condition: all of selection_*
falsepositives:
- Legitimate use of the PDQDeploy tool to execute these commands
level: medium
imProcessCreate
| where (ParentProcessName contains "\\PDQDeployRunner-" or ActingProcessName contains "\\PDQDeployRunner-") and ((TargetProcessName endswith "\\bash.exe" or TargetProcessName endswith "\\certutil.exe" or TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\csc.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\dllhost.exe" or TargetProcessName endswith "\\mshta.exe" or TargetProcessName endswith "\\msiexec.exe" or TargetProcessName endswith "\\regsvr32.exe" or TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\scriptrunner.exe" or TargetProcessName endswith "\\wmic.exe" or TargetProcessName endswith "\\wscript.exe" or TargetProcessName endswith "\\wsl.exe") or (TargetProcessName contains ":\\ProgramData\\" or TargetProcessName contains ":\\Users\\Public\\" or TargetProcessName contains ":\\Windows\\TEMP\\" or TargetProcessName contains "\\AppData\\Local\\Temp") or (TargetProcessCommandLine contains " -decode " or TargetProcessCommandLine contains " -enc " or TargetProcessCommandLine contains " -encodedcommand " or TargetProcessCommandLine contains " -w hidden" or TargetProcessCommandLine contains "DownloadString" or TargetProcessCommandLine contains "FromBase64String" or TargetProcessCommandLine contains "http" or TargetProcessCommandLine contains "iex " or TargetProcessCommandLine contains "Invoke-"))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |