22. CommandCheck

The CommandCheck module is a meta module that analyses full command lines (path, executable, parameters) in different modules.

22.1. Samples

May 20 12:25:49 server55.local.net/10.1.12.2
THOR: Warning: MODULE: CommandCheck
MESSAGE: Command in suspicious location
PATH: C:\Windows\TEMP\vmw72DE.tmp\guestcustutil.exe
SCORE: 75
May 6 11:26:59 server88.local.net/10.10.9.33
THOR: Warning: MODULE: CommandCheck
MESSAGE: Command in suspicious location
PATH: d:\temp\aaa.cmd
SCORE: 75

22.2. Typical False Positives

  • Legitimate administrative activity that looks suspicious

22.3. Attribute Evaluation

Attribute

Question

Answer

Indication

Weight

LOCATION

See chapter File Path Checks