
Summary
This detection rule identifies instances where command-line tools commonly used for system information retrieval (like `ipconfig.exe` and `systeminfo.exe`) are executed by processes that are not typical parents, specifically excluding `cmd.exe`, `PowerShell`, and `Explorer`. By leveraging telemetry from Endpoint Detection and Response (EDR) solutions, the rule monitors process creation events to flag potential misuse indicative of advanced persistent threats (APTs) like FIN7's JSSLoader, which is known for using injected processes for system discovery. If malicious affiliation is confirmed, this could allow attackers to gather critical system information, facilitating further exploits or lateral movement within a network.
Categories
- Endpoint
Data Sources
- Windows Registry
- Process
- Logon Session
- Application Log
ATT&CK Techniques
- T1059
- T1059.007
Created: 2025-01-24