67 lines
1.3 KiB
YAML
67 lines
1.3 KiB
YAML
|
|
title: Squirrel Lolbin
|
|
author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
|
|
date: 2019/11/12
|
|
description: Detects Possible Squirrel Packages Manager as Lolbin
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
Image: '*\update.exe'
|
|
SELECTION_3:
|
|
CommandLine:
|
|
- '*--processStart*'
|
|
- '*--processStartAndWait*'
|
|
- '*--createShortcut*'
|
|
SELECTION_4:
|
|
CommandLine: '*.exe*'
|
|
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
|
|
falsepositives:
|
|
- 1Clipboard
|
|
- Beaker Browser
|
|
- Caret
|
|
- Collectie
|
|
- Discord
|
|
- Figma
|
|
- Flow
|
|
- Ghost
|
|
- GitHub Desktop
|
|
- GitKraken
|
|
- Hyper
|
|
- Insomnia
|
|
- JIBO
|
|
- Kap
|
|
- Kitematic
|
|
- Now Desktop
|
|
- Postman
|
|
- PostmanCanary
|
|
- Rambox
|
|
- Simplenote
|
|
- Skype
|
|
- Slack
|
|
- SourceTree
|
|
- Stride
|
|
- Svgsus
|
|
- WebTorrent
|
|
- WhatsApp
|
|
- WordPress.com
|
|
- atom
|
|
- gitkraken
|
|
- slack
|
|
- teams
|
|
id: fa4b21c9-0057-4493-b289-2556416ae4d7
|
|
level: high
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
modified: 2020/11/28
|
|
references:
|
|
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
|
|
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
|
|
status: experimental
|
|
tags:
|
|
- attack.execution
|
|
- attack.defense_evasion
|
|
- attack.t1218
|
|
ruletype: SIGMA
|