22. CommandCheck
The CommandCheck module is a meta module that analyses
full command lines (path, executable, parameters) in different modules.
22.1. Samples
May 20 12:25:49 server55.local.net/10.1.12.2
THOR: Warning: MODULE: CommandCheck
MESSAGE: Command in suspicious location
PATH: C:\Windows\TEMP\vmw72DE.tmp\guestcustutil.exe
SCORE: 75
May 6 11:26:59 server88.local.net/10.10.9.33
THOR: Warning: MODULE: CommandCheck
MESSAGE: Command in suspicious location
PATH: d:\temp\aaa.cmd
SCORE: 75
22.2. Typical False Positives
Legitimate administrative activity that looks suspicious
22.3. Attribute Evaluation
Attribute |
Question |
Answer |
Indication |
Weight |
|---|---|---|---|---|
LOCATION |
See chapter File Path Checks |