Formbook Process Creation

calendar Aug 12, 2024 · attack.resource-development attack.t1587.001 detection.emerging-threats  ·
Share on: linkedin copy

Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.

Sigma rule (View on GitHub)

 1title: Formbook Process Creation
 2id: 032f5fb3-d959-41a5-9263-4173c802dc2b
 3status: test
 4description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
 5references:
 6    - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
 7    - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
 8    - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
 9    - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
10author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
11date: 2019-09-30
12modified: 2022-10-06
13tags:
14    - attack.resource-development
15    - attack.t1587.001
16    - detection.emerging-threats
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection1:
22        # Parent command line should not contain a space value
23        # This avoids false positives not caused by process injection
24        # e.g. wscript.exe /B sysmon-install.vbs
25        ParentCommandLine|startswith:
26            - 'C:\Windows\System32\'
27            - 'C:\Windows\SysWOW64\'
28        ParentCommandLine|endswith: '.exe'
29    selection2:
30        - CommandLine|contains|all:
31              - '/c'
32              - 'del'
33              - 'C:\Users\'
34              - '\AppData\Local\Temp\'
35        - CommandLine|contains|all:
36              - '/c'
37              - 'del'
38              - 'C:\Users\'
39              - '\Desktop\'
40        - CommandLine|contains|all:
41              - '/C'
42              - 'type nul >'
43              - 'C:\Users\'
44              - '\Desktop\'
45    selection3:
46        CommandLine|endswith: '.exe'
47    condition: all of selection*
48fields:
49    - CommandLine
50    - ParentCommandLine
51falsepositives:
52    - Unknown
53level: high

References

Related rules

to-top