title: Formbook Process Creation author: Florian Roth, oscd.community, Jonhnathan Ribeiro date: 2019/09/30 description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. detection: SELECTION_1: EventID: 1 SELECTION_10: CommandLine: '*del*' SELECTION_11: CommandLine: '*\Desktop\\*' SELECTION_12: CommandLine: '*/C*' SELECTION_13: CommandLine: '*type nul >*' SELECTION_14: CommandLine: '*\Desktop\\*' SELECTION_15: CommandLine: '*.exe' SELECTION_2: ParentCommandLine: C:\Windows\System32\\* SELECTION_3: ParentCommandLine: C:\Windows\SysWOW64\\* SELECTION_4: ParentCommandLine: '*.exe' SELECTION_5: CommandLine: '*C:\Users\\*' SELECTION_6: CommandLine: '*/c*' SELECTION_7: CommandLine: '*del*' SELECTION_8: CommandLine: '*\AppData\Local\Temp\\*' SELECTION_9: CommandLine: '*/c*' condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4) and SELECTION_5 and ((SELECTION_6 and SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10 and SELECTION_11) or (SELECTION_12 and SELECTION_13 and SELECTION_14)) and SELECTION_15) falsepositives: - Unknown fields: - CommandLine - ParentCommandLine id: 032f5fb3-d959-41a5-9263-4173c802dc2b level: critical logsource: category: process_creation product: windows modified: 2019/10/31 references: - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/ - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/ - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/ status: experimental tags: - attack.develop_capabilities - attack.t1587.001 yml_filename: win_malware_formbook.yml yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation