CMD Launching Batch Script Stored on External Drive (Chromeloader)

calendar Nov 9, 2022 · attack.defense_evasion attack.t1553 attack.t1553.005  ·
Share on: linkedin copy

Detects instances of CMD executing a batch stored on an externally-mounted drives, in turn spawning a tar extraction process.

Sigma rule (View on GitHub)

 1title: CMD Launching Batch Script Stored on External Drive (Chromeloader)
 2id: 79cd4f76-2df9-42e1-a957-34fb7ee5a3cc
 3status: experimental
 4description: Detects instances of CMD executing a batch stored on an externally-mounted drives, in turn spawning a tar extraction process.
 5references:
 6    - https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html
 7author: Micah Babinski
 8date: 2022/11/07
 9tags:
10    - attack.defense_evasion
11    - attack.t1553
12    - attack.t1553.005
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_parent:
18        ParentImage|endswith:
19            - '\powershell.exe'
20            - '\cmd.exe'
21        ParentCommandLine|contains|windash: '/c'
22        ParentCommandLine|re: '^.*[D-Z]:\\.*\.(bat|cmdline).*$'
23    selection_child_proc:
24        Image|endswith: '\tar.exe'
25    selection_extract_options:
26        CommandLine|contains:
27            - '-xvf'
28            - '-xfv'
29            - '-vxf'
30            - '-vfx'
31            - '-fxv'
32            - '-fvx'
33    selection_output_options:
34        CommandLine|contains: '-c'
35        CommandLine|contains: 'appdata\'
36    condition: all of selection*
37falsepositives:
38    - Unknown
39level: high

References

Related rules

to-top