Potential PlugX Activity
Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
Sigma rule (View on GitHub)
1title: Potential PlugX Activity
2id: aeab5ec5-be14-471a-80e8-e344418305c2
3status: test
4description: Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
5references:
6 - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
7 - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
8author: Florian Roth (Nextron Systems)
9date: 2017-06-12
10modified: 2023-02-03
11tags:
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.execution
15 - attack.stealth
16 - attack.s0013
17 - attack.t1574.001
18 - detection.emerging-threats
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_cammute:
24 Image|endswith: '\CamMute.exe'
25 filter_cammute:
26 Image|contains:
27 - '\Lenovo\Communication Utility\'
28 - '\Lenovo\Communications Utility\'
29 selection_chrome_frame:
30 Image|endswith: '\chrome_frame_helper.exe'
31 filter_chrome_frame:
32 Image|contains: '\Google\Chrome\application\'
33 selection_devemu:
34 Image|endswith: '\dvcemumanager.exe'
35 filter_devemu:
36 Image|contains: '\Microsoft Device Emulator\'
37 selection_gadget:
38 Image|endswith: '\Gadget.exe'
39 filter_gadget:
40 Image|contains: '\Windows Media Player\'
41 selection_hcc:
42 Image|endswith: '\hcc.exe'
43 filter_hcc:
44 Image|contains: '\HTML Help Workshop\'
45 selection_hkcmd:
46 Image|endswith: '\hkcmd.exe'
47 filter_hkcmd:
48 Image|contains:
49 - '\System32\'
50 - '\SysNative\'
51 - '\SysWow64\'
52 selection_mc:
53 Image|endswith: '\Mc.exe'
54 filter_mc:
55 Image|contains:
56 - '\Microsoft Visual Studio'
57 - '\Microsoft SDK'
58 - '\Windows Kit'
59 selection_msmpeng:
60 Image|endswith: '\MsMpEng.exe'
61 filter_msmpeng:
62 Image|contains:
63 - '\Microsoft Security Client\'
64 - '\Windows Defender\'
65 - '\AntiMalware\'
66 selection_msseces:
67 Image|endswith: '\msseces.exe'
68 filter_msseces:
69 Image|contains:
70 - '\Microsoft Security Center\'
71 - '\Microsoft Security Client\'
72 - '\Microsoft Security Essentials\'
73 selection_oinfo:
74 Image|endswith: '\OInfoP11.exe'
75 filter_oinfo:
76 Image|contains: '\Common Files\Microsoft Shared\'
77 selection_oleview:
78 Image|endswith: '\OleView.exe'
79 filter_oleview:
80 Image|contains:
81 - '\Microsoft Visual Studio'
82 - '\Microsoft SDK'
83 - '\Windows Kit'
84 - '\Windows Resource Kit\'
85 selection_rc:
86 Image|endswith: '\rc.exe'
87 filter_rc:
88 Image|contains:
89 - '\Microsoft Visual Studio'
90 - '\Microsoft SDK'
91 - '\Windows Kit'
92 - '\Windows Resource Kit\'
93 - '\Microsoft.NET\'
94 condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )
95falsepositives:
96 - Unknown
97level: high
References
-
Last Updated 2023-02-25 Added xdbg32 from Trend Micro article. Last Updated 2019-09-20 A few more updates thanks to @bartblaze !!! Last Updated 2018-10-18 Updated mistake in tplcdclr.exe –> wtsapi3...
Read More -
Last April, at the SANS Threat Hunting and IR Summit, among other things, there was a new tool and technique released by Matias Bevilacqua. Matias’s presentation was titled “ShimCache and AmCache e…
Read More
Related rules
- APT27 - Emissary Panda Activity
- DLL Names Used By SVR For GraphicalProton Backdoor
- Diamond Sleet APT DLL Sideloading Indicators
- Lazarus APT DLL Sideloading Activity
- Pingback Backdoor Activity