Potential PlugX Activity
Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
Sigma rule (View on GitHub)
1title: Potential PlugX Activity
2id: aeab5ec5-be14-471a-80e8-e344418305c2
3status: test
4description: Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
5references:
6 - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
7 - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
8author: Florian Roth (Nextron Systems)
9date: 2017/06/12
10modified: 2023/02/03
11tags:
12 - attack.s0013
13 - attack.defense_evasion
14 - attack.t1574.002
15 - detection.emerging_threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_cammute:
21 Image|endswith: '\CamMute.exe'
22 filter_cammute:
23 Image|contains:
24 - '\Lenovo\Communication Utility\'
25 - '\Lenovo\Communications Utility\'
26 selection_chrome_frame:
27 Image|endswith: '\chrome_frame_helper.exe'
28 filter_chrome_frame:
29 Image|contains: '\Google\Chrome\application\'
30 selection_devemu:
31 Image|endswith: '\dvcemumanager.exe'
32 filter_devemu:
33 Image|contains: '\Microsoft Device Emulator\'
34 selection_gadget:
35 Image|endswith: '\Gadget.exe'
36 filter_gadget:
37 Image|contains: '\Windows Media Player\'
38 selection_hcc:
39 Image|endswith: '\hcc.exe'
40 filter_hcc:
41 Image|contains: '\HTML Help Workshop\'
42 selection_hkcmd:
43 Image|endswith: '\hkcmd.exe'
44 filter_hkcmd:
45 Image|contains:
46 - '\System32\'
47 - '\SysNative\'
48 - '\SysWow64\'
49 selection_mc:
50 Image|endswith: '\Mc.exe'
51 filter_mc:
52 Image|contains:
53 - '\Microsoft Visual Studio'
54 - '\Microsoft SDK'
55 - '\Windows Kit'
56 selection_msmpeng:
57 Image|endswith: '\MsMpEng.exe'
58 filter_msmpeng:
59 Image|contains:
60 - '\Microsoft Security Client\'
61 - '\Windows Defender\'
62 - '\AntiMalware\'
63 selection_msseces:
64 Image|endswith: '\msseces.exe'
65 filter_msseces:
66 Image|contains:
67 - '\Microsoft Security Center\'
68 - '\Microsoft Security Client\'
69 - '\Microsoft Security Essentials\'
70 selection_oinfo:
71 Image|endswith: '\OInfoP11.exe'
72 filter_oinfo:
73 Image|contains: '\Common Files\Microsoft Shared\'
74 selection_oleview:
75 Image|endswith: '\OleView.exe'
76 filter_oleview:
77 Image|contains:
78 - '\Microsoft Visual Studio'
79 - '\Microsoft SDK'
80 - '\Windows Kit'
81 - '\Windows Resource Kit\'
82 selection_rc:
83 Image|endswith: '\rc.exe'
84 filter_rc:
85 Image|contains:
86 - '\Microsoft Visual Studio'
87 - '\Microsoft SDK'
88 - '\Windows Kit'
89 - '\Windows Resource Kit\'
90 - '\Microsoft.NET\'
91 condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )
92fields:
93 - CommandLine
94 - ParentCommandLine
95falsepositives:
96 - Unknown
97level: high
References
-
Last Updated 2023-02-25 Added xdbg32 from Trend Micro article. Last Updated 2019-09-20 A few more updates thanks to @bartblaze !!! Last Updated 2018-10-18 Updated mistake in tplcdclr.exe –> wtsapi3...
Read More -
Last April, at the SANS Threat Hunting and IR Summit, among other things, there was a new tool and technique released by Matias Bevilacqua. Matias’s presentation was titled “ShimCache and AmCache e…
Read More
Related rules
- APT27 - Emissary Panda Activity
- Winnti Malware HK University Campaign
- Winnti Pipemon Characteristics
- APT PRIVATELOG Image Load Pattern
- COLDSTEEL Persistence Service Creation