Potential Devil Bait Related Indicator
Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
Sigma rule (View on GitHub)
1title: Potential Devil Bait Related Indicator
2id: 93d5f1b4-36df-45ed-8680-f66f242b8415
3status: test
4description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
5references:
6 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/15
9tags:
10 - attack.defense_evasion
11 - detection.emerging_threats
12logsource:
13 product: windows
14 category: file_event
15detection:
16 selection:
17 Image|endswith:
18 - '\schtasks.exe'
19 - '\wscript.exe'
20 - '\mshta.exe'
21 # Example folders used by the samples include:
22 # - %AppData%\Microsoft\Network\
23 # - %AppData%\Microsoft\Office\
24 TargetFilename|contains: '\AppData\Roaming\Microsoft\'
25 TargetFilename|endswith:
26 - '.txt'
27 - '.xml'
28 condition: selection
29falsepositives:
30 - Unlikely
31level: high
References
Related rules
- Goofy Guineapig Backdoor IOC
- Potential Devil Bait Malware Reconnaissance
- Potential Goofy Guineapig GoolgeUpdate Process Anomaly
- Potential Qakbot Rundll32 Execution
- Qakbot Rundll32 Exports Execution