Suspicious User-Initiated Process Execution on External Drive (Old)

calendar Dec 28, 2022 · attack.s0650 attack.s0483 attack.execution attack.t1059 attack.t1204 attack.t1204.002  ·
Share on: linkedin copy

Detects command/scripting interpreter-created processes executing on an external drive. This will detect common instances of malware using LNK files to obscure malicious commands for user execution. Commonly associated with QakBot and IcedID.

Sigma rule (View on GitHub)

 1title: Suspicious User-Initiated Process Execution on External Drive (Old)
 2id: 2a054382-98a1-4d96-b966-ded8e5aa3a65
 3status: experimental
 4description: Detects command/scripting interpreter-created processes executing on an external drive. This will detect common instances of malware using LNK files to obscure malicious commands for user execution. Commonly associated with QakBot and IcedID.
 5references:
 6    - https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/#:~:text=HTML%20smuggling%20is%20a%20technique,directly%20on%20the%20victim's%20device.
 7    - Research and analysis performed off of QakBot intelligence gathered at https://github.com/pr0xylife/Qakbot
 8author: Micah Babinski
 9date: 2022/12/19
10tags:
11    - attack.s0650
12    - attack.s0483
13    - attack.execution
14    - attack.t1059
15    - attack.t1204
16    - attack.t1204.002
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_explorer_parent:
22        ParentImage|endswith: '\explorer.exe'
23    selection_cmd_scripting_interp:
24        Image|endswith: 
25            - '\cmd.exe'
26            - '\powershell.exe'
27            - '\wscript.exe'
28    filter_cwd:
29        CurrentDirectory|startswith: 'C:'
30    filter_external_exe:
31        Image|startswith: 'C:'
32    condition: selection_explorer_parent and (not filter_external_exe or (selection_cmd_scripting_interp and not filter_cwd))
33falsepositives:
34    - Unknown
35level: high```

References

Related rules

to-top