Potential Devil Bait Related Indicator
Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
Sigma rule (View on GitHub)
1title: Potential Devil Bait Related Indicator
2id: 93d5f1b4-36df-45ed-8680-f66f242b8415
3status: test
4description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
5references:
6 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-05-15
9tags:
10 - attack.defense-evasion
11 - detection.emerging-threats
12logsource:
13 product: windows
14 category: file_event
15detection:
16 selection:
17 Image|endswith:
18 - '\schtasks.exe'
19 - '\wscript.exe'
20 - '\mshta.exe'
21 # Example folders used by the samples include:
22 # - %AppData%\Microsoft\Network\
23 # - %AppData%\Microsoft\Office\
24 TargetFilename|contains: '\AppData\Roaming\Microsoft\'
25 TargetFilename|endswith:
26 - '.txt'
27 - '.xml'
28 condition: selection
29falsepositives:
30 - Unlikely
31level: high
References
-
%PDF-1.7 %µµµµ 1 0 obj /Metadata 886 0 R/ViewerPreferences 887 0 R>> endobj 2 0 obj endobj 3 0 obj /ExtGState /XObject /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 594.96 842.04] /Cont...
Read More
Related rules
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators
- COLDSTEEL Persistence Service Creation