Small Sieve Malware CommandLine Indicator
Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
Sigma rule (View on GitHub)
1title: Small Sieve Malware CommandLine Indicator
2id: 21117127-21c8-437a-ae03-4b51e5a8a088
3status: test
4description: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
5references:
6 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-05-19
9tags:
10 - attack.persistence
11 - attack.t1574.001
12 - detection.emerging-threats
13logsource:
14 product: windows
15 category: process_creation
16detection:
17 selection:
18 CommandLine|endswith: '.exe Platypus'
19 condition: selection
20falsepositives:
21 - Unlikely
22level: high
References
-
%PDF-1.7 %µµµµ 1 0 obj /Metadata 617 0 R/ViewerPreferences 618 0 R>> endobj 2 0 obj endobj 3 0 obj /ExtGState /XObject /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 594.96 842.04] /Cont...
Read More
Related rules
- Pingback Backdoor Activity
- Pingback Backdoor DLL Loading Activity
- Pingback Backdoor File Indicators
- Aruba Network Service Potential DLL Sideloading
- COLDSTEEL Persistence Service Creation