Potential PlugX Activity
Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
Sigma rule (View on GitHub)
1title: Potential PlugX Activity
2id: aeab5ec5-be14-471a-80e8-e344418305c2
3status: test
4description: Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
5references:
6 - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
7 - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
8author: Florian Roth (Nextron Systems)
9date: 2017-06-12
10modified: 2023-02-03
11tags:
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.s0013
15 - attack.defense-evasion
16 - attack.t1574.001
17 - detection.emerging-threats
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_cammute:
23 Image|endswith: '\CamMute.exe'
24 filter_cammute:
25 Image|contains:
26 - '\Lenovo\Communication Utility\'
27 - '\Lenovo\Communications Utility\'
28 selection_chrome_frame:
29 Image|endswith: '\chrome_frame_helper.exe'
30 filter_chrome_frame:
31 Image|contains: '\Google\Chrome\application\'
32 selection_devemu:
33 Image|endswith: '\dvcemumanager.exe'
34 filter_devemu:
35 Image|contains: '\Microsoft Device Emulator\'
36 selection_gadget:
37 Image|endswith: '\Gadget.exe'
38 filter_gadget:
39 Image|contains: '\Windows Media Player\'
40 selection_hcc:
41 Image|endswith: '\hcc.exe'
42 filter_hcc:
43 Image|contains: '\HTML Help Workshop\'
44 selection_hkcmd:
45 Image|endswith: '\hkcmd.exe'
46 filter_hkcmd:
47 Image|contains:
48 - '\System32\'
49 - '\SysNative\'
50 - '\SysWow64\'
51 selection_mc:
52 Image|endswith: '\Mc.exe'
53 filter_mc:
54 Image|contains:
55 - '\Microsoft Visual Studio'
56 - '\Microsoft SDK'
57 - '\Windows Kit'
58 selection_msmpeng:
59 Image|endswith: '\MsMpEng.exe'
60 filter_msmpeng:
61 Image|contains:
62 - '\Microsoft Security Client\'
63 - '\Windows Defender\'
64 - '\AntiMalware\'
65 selection_msseces:
66 Image|endswith: '\msseces.exe'
67 filter_msseces:
68 Image|contains:
69 - '\Microsoft Security Center\'
70 - '\Microsoft Security Client\'
71 - '\Microsoft Security Essentials\'
72 selection_oinfo:
73 Image|endswith: '\OInfoP11.exe'
74 filter_oinfo:
75 Image|contains: '\Common Files\Microsoft Shared\'
76 selection_oleview:
77 Image|endswith: '\OleView.exe'
78 filter_oleview:
79 Image|contains:
80 - '\Microsoft Visual Studio'
81 - '\Microsoft SDK'
82 - '\Windows Kit'
83 - '\Windows Resource Kit\'
84 selection_rc:
85 Image|endswith: '\rc.exe'
86 filter_rc:
87 Image|contains:
88 - '\Microsoft Visual Studio'
89 - '\Microsoft SDK'
90 - '\Windows Kit'
91 - '\Windows Resource Kit\'
92 - '\Microsoft.NET\'
93 condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )
94fields:
95 - CommandLine
96 - ParentCommandLine
97falsepositives:
98 - Unknown
99level: high
References
-
Last Updated 2023-02-25 Added xdbg32 from Trend Micro article. Last Updated 2019-09-20 A few more updates thanks to @bartblaze !!! Last Updated 2018-10-18 Updated mistake in tplcdclr.exe –> wtsapi3...
Read More -
Last April, at the SANS Threat Hunting and IR Summit, among other things, there was a new tool and technique released by Matias Bevilacqua. Matias’s presentation was titled “ShimCache and AmCache e…
Read More
Related rules
- APT27 - Emissary Panda Activity
- DLL Names Used By SVR For GraphicalProton Backdoor
- Diamond Sleet APT DLL Sideloading Indicators
- Lazarus APT DLL Sideloading Activity
- Pingback Backdoor Activity