← Back to SOC feed Coverage →

Using SettingSyncHost.exe as LOLBin

sigma HIGH SigmaHQ
T1574.008
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-10T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects using SettingSyncHost.exe to run hijacked binary

Detection Rule

Sigma (Original)

title: Using SettingSyncHost.exe as LOLBin
id: b2ddd389-f676-4ac4-845a-e00781a48e5f
status: test
description: Detects using SettingSyncHost.exe to run hijacked binary
references:
    - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
author: Anton Kutepov, oscd.community
date: 2020-02-05
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.008
logsource:
    category: process_creation
    product: windows
detection:
    system_utility:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    parent_is_settingsynchost:
        ParentCommandLine|contains|all:
            - 'cmd.exe /c'
            - 'RoamDiag.cmd'
            - '-outputpath'
    condition: not system_utility and parent_is_settingsynchost
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (not((TargetProcessName startswith "C:\\Windows\\System32\\" or TargetProcessName startswith "C:\\Windows\\SysWOW64\\"))) and (ActingProcessCommandLine contains "cmd.exe /c" and ActingProcessCommandLine contains "RoamDiag.cmd" and ActingProcessCommandLine contains "-outputpath")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml