From 9ee554862378153823ed65a8f0a8d19888fea5a0 Mon Sep 17 00:00:00 2001
From: Ekitji <41170494+Ekitji@users.noreply.github.com>
Date: Tue, 10 Sep 2024 14:31:38 +0200
Subject: [PATCH] Updates in Stordiag.exe (#394)

---
 yml/OSBinaries/Stordiag.yml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/yml/OSBinaries/Stordiag.yml b/yml/OSBinaries/Stordiag.yml
index 9b47903..a2f312e 100644
--- a/yml/OSBinaries/Stordiag.yml
+++ b/yml/OSBinaries/Stordiag.yml
@@ -10,15 +10,24 @@ Commands:
     Category: Execute
     Privileges: User
     MitreID: T1218
-    OperatingSystem: Windows 10, Windows 11
+    OperatingSystem: Windows 10
+  - Command: stordiag.exe
+    Description: Once executed, Stordiag.exe will execute schtasks.exe and powershell.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it.
+    Usecase: Possible defence evasion purposes.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 11
 Full_Path:
   - Path: c:\windows\system32\stordiag.exe
   - Path: c:\windows\syswow64\stordiag.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml
-  - IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\
+  - IOC: systeminfo.exe, fltmc.exe or schtasks.exe or powershell.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\
 Resources:
   - Link: https://twitter.com/eral4m/status/1451112385041911809
 Acknowledgement:
   - Person: Eral4m
     Handle: '@eral4m'
+  - Person: Ekitji
+    Handle: '@eki_erk'