SocGholish Script File Whoami Output to File (RedCanary Threat Detection Report)
Detects wscript spawning CMD which in turn runs whoami, with the output of the command directed to a file. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: SocGholish Script File Whoami Output to File (RedCanary Threat Detection Report)
2id: 0886986b-47e9-41e8-87c7-41b202503b24
3status: experimental
4description: Detects wscript spawning CMD which in turn runs whoami, with the output of the command directed to a file. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.discovery
11 - attack.t1033
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 ParentImage|endswith: '\wscript.exe'
18 Image|endswith: '\cmd.exe'
19 CommandLine|contains|windash:
20 - 'whoami /all >'
21 condition: selection
22falsepositives:
23 - Unknown
24level: low```
References
-
SocGholish leverages drive-by-downloads masquerading as software updates to trick visitors of compromised websites into executing malware.
Read More
Related rules
- Local Accounts Discovery
- Renamed Whoami Execution
- WhoAmI as Parameter
- System Owner or User Discovery
- SocGholish NLTest Domain Trust Enumeration (RedCanary Threat Detection Report)