title: Formbook Process Creation
author: Florian Roth, oscd.community, Jonhnathan Ribeiro
date: 2019/09/30
description: Detects Formbook like process executions that inject code into a set
  of files in the System32 folder, which executes a special command command line to
  delete the dropper from the AppData Temp folder. We avoid false positives by excluding
  all parent process with command line parameters.
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_10:
    CommandLine: '*\Desktop\\*'
  SELECTION_11:
    CommandLine: '*/C*'
  SELECTION_12:
    CommandLine: '*type nul >*'
  SELECTION_13:
    CommandLine: '*\Desktop\\*'
  SELECTION_14:
    CommandLine: '*.exe'
  SELECTION_2:
    ParentCommandLine:
    - C:\Windows\System32\\*
    - C:\Windows\SysWOW64\\*
  SELECTION_3:
    ParentCommandLine:
    - '*.exe'
  SELECTION_4:
    CommandLine: '*C:\Users\\*'
  SELECTION_5:
    CommandLine: '*/c*'
  SELECTION_6:
    CommandLine: '*del*'
  SELECTION_7:
    CommandLine: '*\AppData\Local\Temp\\*'
  SELECTION_8:
    CommandLine: '*/c*'
  SELECTION_9:
    CommandLine: '*del*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and ((SELECTION_5
    and SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9 and SELECTION_10)
    or (SELECTION_11 and SELECTION_12 and SELECTION_13)) and SELECTION_14)
falsepositives:
- Unknown
fields:
- CommandLine
- ParentCommandLine
id: 032f5fb3-d959-41a5-9263-4173c802dc2b
level: critical
logsource:
  category: process_creation
  product: windows
modified: 2019/10/31
references:
- https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
- https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
- https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
- https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
status: experimental
tags:
- attack.develop_capabilities
- attack.t1587.001
ruletype: SIGMA