Drops fake system file at system root drive

calendar Aug 13, 2021  ยท
Share on: linkedin copy

Drops fake system file at system root drive

Sigma rule (View on GitHub)

 1title: Drops fake system file at system root drive
 2status: experimental
 3description: Drops fake system file at system root drive
 4author: Joe Security
 5date: 2021-08-13
 6id: 200103
 7threatname:
 8behaviorgroup: 7
 9classification: 8
10logsource:
11    service: sysmon
12    product: windows
13detection:
14    selection:
15        EventID: 11
16        TargetFilename:
17            - 'c:\svchost.exe'
18            - 'c:\rundll32.exe'
19            - 'c:\powershell.exe'
20            - 'c:\regsvr32.exe'
21            - 'c:\spoolsv.exe'
22            - 'c:\lsass.exe'
23            - 'c:\smss.exe'
24            - 'c:\csrss.exe'
25            - 'c:\conhost.exe'
26            - 'c:\wininit.exe'
27            - 'c:\winlogon.exe'
28            - 'c:\taskhost.exe'
29            - 'c:\taskmgr.exe'
30            - 'c:\runtimebroker.exe'
31            - 'c:\smartscreen.exe'
32            - 'c:\dllhost.exe'
33            - 'c:\services.exe'
34    condition: selection
35level: critical
to-top