title: Dridex Process Pattern
ruletype: Sigma
author: Florian Roth, oscd.community
date: 2019/01/10
description: Detects typical Dridex process patterns
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\svchost.exe'
  SELECTION_3:
    CommandLine: '*C:\Users\\*'
  SELECTION_4:
    CommandLine: '*\Desktop\\*'
  SELECTION_5:
    ParentImage: '*\svchost.exe'
  SELECTION_6:
    Image: '*\whoami.exe'
  SELECTION_7:
    CommandLine: '*all*'
  SELECTION_8:
    Image:
    - '*\net.exe'
    - '*\net1.exe'
  SELECTION_9:
    CommandLine: '*view*'
  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5
    and ((SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9)))))
falsepositives:
- Unlikely
id: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e
level: critical
logsource:
  category: process_creation
  product: windows
modified: 2021/11/27
references:
- https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
status: test
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
- attack.discovery
- attack.t1135
- attack.t1033