ChromeLoader NW.js Runtime App Installation Paths

 1title: ChromeLoader NW.js Runtime App Installation Paths
 2id: be3e4b3e-4076-4ae3-acb9-3713c651158b
 3status: experimental
 4description: |
 5    Red Canary has had success detecting ChromeLoader by looking for instances of NW.js 
 6    applications that are unsigned and running from %AppData/Roaming%. This behavior is 
 7    not unique to ChromeLoader, and some tuning may be required to avoid detecting 
 8    legitimate applications. A partial list of common ChromeLoader NW.js runtime app 
 9    installation paths is included below to help distinguish the signal from the noise. 
10    Part of the RedCanary 2024 Threat Detection Report.    
11references:
12    - https://redcanary.com/threat-detection-report/threats/chromeloader/
13author: RedCanary, Sigma formatting by Micah Babinski
14date: 2024/03/21
15tags:
16    - attack.persistence
17    - attack.t1176
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection1:
23        Image|re: '^.*:\\users\\.*\\appdata\\roaming\\.*$'
24    selection2:
25        Image|endswith:
26            - '\bloom\bloom.exe'
27            - '\cash/\cash.exe'
28            - '\diet\diet.exe'
29            - '\editor\editor.exe'
30            - '\healthy\healthy.exe'
31            - '\leading\leading.exe'
32            - '\movies\movies.exe'
33            - '\music\music.exe'
34            - '\prime\prime.exe'
35            - '\player\player.exe'
36            - '\tone\tone.exe'
37            - '\videos\videos.exe'
38            - '\copy\nw.exe'
39            - '\coreelevate\nw.exe'
40            - '\debuggerstepperboundaryattribute\nw.exe'
41    condition: all of selection*
42falsepositives:
43    - Unknown
44level: low```