heroui logo

Suspicious GrpConv Execution

Sigma Rules

View Source
Summary
This detection rule identifies suspicious executions of the 'grpconv.exe' utility, which is used for converting Windows 3.x .grp files. The context of its usage typically pertains to persistence mechanisms employed by malicious actors. The rule specifically looks for command-line arguments suggesting the use of the '-o' option with 'grpconv', which can indicate potential misuse of this utility for nefarious purposes. Filenames and command-line options are parsed to ensure the detection is precise and minimizes false positives. Given that the use of traditional Windows utilities can be a common tactic for persistence in compromised systems, this rule is critical for monitoring and alerting security teams to potential malicious activity.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
Created: 2022-05-19