curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

page(threat-hunting): "Unusual printui.exe path"

This commit is contained in:
Ming Di Leom 2025-01-28 08:59:40 +00:00
parent 6c2d590207
commit d25e9662ab
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
source/threat-hunting/index.md
View File

@ -1447,6 +1447,19 @@ SPL:
| table Time, index, host, EventCode, EventDescription, parent_process, process, user, Name, Email | table Time, index, host, EventCode, EventDescription, parent_process, process, user, Name, Email
``` ```
## Unusual printui.exe path
References: [1](https://redcanary.com/blog/threat-intelligence/tangerine-turkey/)
SPL:
```spl
| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process_name="printui.exe" Processes.process_path!="C:\\Windows\\System32\\printui.exe" BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s
| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription
| eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S %z")
| lookup ad_users sAMAccountName AS user OUTPUT displayName AS Name, mail AS Email
| table Time, index, host, EventCode, EventDescription, parent_process, process, user, Name, Email
```
## User Login with Local Credentials ## User Login with Local Credentials
Description: Interactive logins should use domain credentials. Detect when a new user logs on with local credentials. Description: Interactive logins should use domain credentials. Detect when a new user logs on with local credentials.