Stordiag.exe

Storage diagnostic tool

Paths

• c:\windows\system32\stordiag.exe
• c:\windows\syswow64\stordiag.exe

Commands

Execute

Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it.

Use case: Possible defence evasion purposes.

Privileges: User

stordiag.exe

Execute

Once executed, Stordiag.exe will execute schtasks.exe and powershell.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it.

Use case: Possible defence evasion purposes.

Privileges: User

stordiag.exe

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml
• IOC: systeminfo.exe, fltmc.exe or schtasks.exe or powershell.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\

Resources

• https://twitter.com/eral4m/status/1451112385041911809