Potential Bumblebee Remote Thread Creation

calendar Oct 15, 2023 · attack.defense_evasion attack.execution attack.t1218.011 attack.t1059.001 detection.emerging_threats  ·
Share on: linkedin copy

Detects remote thread injection events based on action seen used by bumblebee

Sigma rule (View on GitHub)

 1title: Potential Bumblebee Remote Thread Creation
 2id: 994cac2b-92c2-44bf-8853-14f6ca39fbda
 3status: test
 4description: Detects remote thread injection events based on action seen used by bumblebee
 5references:
 6    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/09/27
 9tags:
10    - attack.defense_evasion
11    - attack.execution
12    - attack.t1218.011
13    - attack.t1059.001
14    - detection.emerging_threats
15logsource:
16    product: windows
17    category: create_remote_thread
18detection:
19    selection:
20        SourceImage|endswith:
21            - '\wabmig.exe'
22            - '\wab.exe'
23            - '\ImagingDevices.exe'
24        TargetImage|endswith: '\rundll32.exe'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

  • BumbleBee: Round Two - The DFIR Report

    In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. … Read More


    Read More

Related rules

to-top