Suspicious User-Initiated Process Execution on External Drive (Sysmon)

Detects command/scripting interpreter-created processes executing on an external drive. This will detect common instances of malware using LNK files to obscure malicious commands for user execution. Commonly associated with QakBot and IcedID.

Sigma rule (View on GitHub)

 1title: Suspicious User-Initiated Process Execution on External Drive (Sysmon)
 2id: 2a054382-98a1-4d96-b966-ded8e5aa3a65
 3status: experimental
 4description: Detects command/scripting interpreter-created processes executing on an external drive. This will detect common instances of malware using LNK files to obscure malicious commands for user execution. Commonly associated with QakBot and IcedID.
 5references:
 6    - https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/#:~:text=HTML%20smuggling%20is%20a%20technique,directly%20on%20the%20victim's%20device.
 7    - https://www.malwarebytes.com/blog/news/2021/11/evasive-maneuvers-html-smuggling-explained
 8    - Original research and analysis performed off of QakBot intelligence gathered at https://github.com/pr0xylife/Qakbot, https://www.malware-traffic-analysis.net/, and https://github.com/executemalware/Malware-IOCs
 9author: Micah Babinski
10date: 2022/12/19
11tags:
12    - attack.s0650
13    - attack.s0483
14    - attack.execution
15    - attack.t1059
16    - attack.t1204
17    - attack.t1204.002
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        ParentImage|endswith: '\explorer.exe'
24    filter_cwd:
25        CurrentDirectory|startswith: 'C:'
26    filter_external_exe:
27        Image|startswith: 'C:'
28    condition: selection and (not filter_cwd or not filter_external_exe)
29falsepositives:
30    - Unknown
31level: high```

References

Related rules

to-top