CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f71d5848fee4ffb52c83f10fbf204b3aa5e2bb1b
hayabusa/rules/Sigma/win_malware_formbook.yml
Tanaka Zakku 50aebce32e Added Sigma Rules
2021-11-14 11:00:56 +09:00

66 lines
2.1 KiB
YAML
Raw Blame History

title: Formbook Process Creation
author: Florian Roth, oscd.community, Jonhnathan Ribeiro
date: 2019/09/30
description: Detects Formbook like process executions that inject code into a set
of files in the System32 folder, which executes a special command command line
to delete the dropper from the AppData Temp folder. We avoid false positives by
excluding all parent process with command line parameters.
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '*del*'
SELECTION_11:
CommandLine: '*\Desktop\\*'
SELECTION_12:
CommandLine: '*/C*'
SELECTION_13:
CommandLine: '*type nul >*'
SELECTION_14:
CommandLine: '*\Desktop\\*'
SELECTION_15:
CommandLine: '*.exe'
SELECTION_2:
ParentCommandLine: C:\Windows\System32\\*
SELECTION_3:
ParentCommandLine: C:\Windows\SysWOW64\\*
SELECTION_4:
ParentCommandLine: '*.exe'
SELECTION_5:
CommandLine: '*C:\Users\\*'
SELECTION_6:
CommandLine: '*/c*'
SELECTION_7:
CommandLine: '*del*'
SELECTION_8:
CommandLine: '*\AppData\Local\Temp\\*'
SELECTION_9:
CommandLine: '*/c*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and (SELECTION_4) and
SELECTION_5 and ((SELECTION_6 and SELECTION_7 and SELECTION_8) or (SELECTION_9
and SELECTION_10 and SELECTION_11) or (SELECTION_12 and SELECTION_13 and SELECTION_14))
and SELECTION_15)
falsepositives:
- Unknown
fields:
- CommandLine
- ParentCommandLine
id: 032f5fb3-d959-41a5-9263-4173c802dc2b
level: critical
logsource:
category: process_creation
product: windows
modified: 2019/10/31
references:
- https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
- https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
- https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
- https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
status: experimental
tags:
- attack.develop_capabilities
- attack.t1587.001
yml_filename: win_malware_formbook.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
Reference in New Issue View Git Blame Copy Permalink