title: DTRACK Process Creation
author: Florian Roth
date: 2019/10/30
description: Detects specific process parameters as seen in DTRACK infections
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine: '* echo EEEE > *'
  condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unlikely
fields:
- CommandLine
- ParentCommandLine
id: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4
level: critical
logsource:
  category: process_creation
  product: windows
references:
- https://securelist.com/my-name-is-dtrack/93338/
- https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/
- https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/
status: experimental
tags:
- attack.impact
- attack.t1490
ruletype: SIGMA