Small Sieve Malware CommandLine Indicator
Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
Sigma rule (View on GitHub)
1title: Small Sieve Malware CommandLine Indicator
2id: 21117127-21c8-437a-ae03-4b51e5a8a088
3status: test
4description: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
5references:
6 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-05-19
9tags:
10 - attack.privilege-escalation
11 - attack.defense-evasion
12 - attack.persistence
13 - attack.t1574.001
14 - detection.emerging-threats
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection:
20 CommandLine|endswith: '.exe Platypus'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: high
References
-
%PDF-1.7 %µµµµ 1 0 obj /Metadata 617 0 R/ViewerPreferences 618 0 R>> endobj 2 0 obj endobj 3 0 obj /ExtGState /XObject /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 594.96 842.04] /Cont...
Read More
Related rules
- APT27 - Emissary Panda Activity
- DLL Names Used By SVR For GraphicalProton Backdoor
- Diamond Sleet APT DLL Sideloading Indicators
- Lazarus APT DLL Sideloading Activity
- Pingback Backdoor Activity