ChromeLoader Malware Execution
Detects execution of ChromeLoader malware via a registered scheduled task
Sigma rule (View on GitHub)
1title: ChromeLoader Malware Execution
2id: 0a74c5a9-1b71-4475-9af2-7829d320d5c2
3status: test
4description: Detects execution of ChromeLoader malware via a registered scheduled task
5references:
6 - https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER
7 - https://twitter.com/th3_protoCOL/status/1480621526764322817
8 - https://twitter.com/Kostastsale/status/1480716528421011458
9 - https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd
10author: '@kostastsale'
11date: 2022-01-10
12tags:
13 - attack.privilege-escalation
14 - attack.execution
15 - attack.persistence
16 - attack.t1053.005
17 - attack.t1059.001
18 - attack.t1176
19 - detection.emerging-threats
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection:
25 ParentImage|endswith: '\powershell.exe'
26 ParentCommandLine|contains: '-ExecutionPolicy Bypass -WindowStyle Hidden -E JAB'
27 CommandLine|contains: '--load-extension="*\Appdata\local\chrome"'
28 Image|endswith: '\chrome.exe'
29 condition: selection
30falsepositives:
31 - Unlikely
32level: high
References
-
This repository contains a list of new remediation scripts. - xephora/Threat-Remediation-Scripts
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Related rules
- Operation Wocao Activity
- Operation Wocao Activity - Security
- Defrag Deactivation
- Kapeka Backdoor Persistence Activity
- OilRig APT Activity