PUA - PingCastle Execution From Potentially Suspicious Parent
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "Process started" AND (PARENTPROCESSCOMMANDLINE contains ".bat,.chm,.cmd,.hta,.htm,.html,.js,.lnk,.ps1,.vbe,.vbs,.wsf" OR PARENTPROCESSCOMMANDLINE contains ":\Perflogs\,:\Temp\,:\Users\Public\,:\Windows\Temp\,\AppData\Local\Temp,\AppData\Roaming\,\Temporary Internet" OR ((PARENTPROCESSCOMMANDLINE contains ":\Users" AND PARENTPROCESSCOMMANDLINE contains "\Favorites") OR (PARENTPROCESSCOMMANDLINE contains ":\Users" AND PARENTPROCESSCOMMANDLINE contains "\Favourites") OR (PARENTPROCESSCOMMANDLINE contains ":\Users" AND PARENTPROCESSCOMMANDLINE contains "\Contacts"))) AND PARENTPROCESSCOMMANDLINE contains ".bat,.chm,.cmd,.hta,.htm,.html,.js,.lnk,.ps1,.vbe,.vbs,.wsf" AND (PROCESSNAME endswith "\PingCastle.exe" OR ORIGINALFILENAME = "PingCastle.exe" OR PRODUCT_NAME = "Ping Castle" OR COMMANDLINE contains "--scanner aclcheck,--scanner antivirus,--scanner computerversion,--scanner foreignusers,--scanner laps_bitlocker,--scanner localadmin,--scanner nullsession,--scanner nullsession-trust,--scanner oxidbindings,--scanner remote,--scanner share,--scanner smb,--scanner smb3querynetwork,--scanner spooler,--scanner startup,--scanner zerologon" OR COMMANDLINE contains "--no-enum-limit" OR (COMMANDLINE contains "--healthcheck" AND COMMANDLINE contains "--level Full") OR (COMMANDLINE contains "--healthcheck" AND COMMANDLINE contains "--server ")) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Active Directory
Author
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
