ChromeLoader Malware Execution
Detects execution of ChromeLoader malware via a registered scheduled task
Sigma rule (View on GitHub)
1title: ChromeLoader Malware Execution
2id: 0a74c5a9-1b71-4475-9af2-7829d320d5c2
3status: test
4description: Detects execution of ChromeLoader malware via a registered scheduled task
5references:
6 - https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER
7 - https://twitter.com/th3_protoCOL/status/1480621526764322817
8 - https://twitter.com/Kostastsale/status/1480716528421011458
9 - https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd
10author: '@kostastsale'
11date: 2022-01-10
12tags:
13 - attack.execution
14 - attack.persistence
15 - attack.t1053.005
16 - attack.t1059.001
17 - attack.t1176
18 - detection.emerging-threats
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 ParentImage|endswith: '\powershell.exe'
25 ParentCommandLine|contains: '-ExecutionPolicy Bypass -WindowStyle Hidden -E JAB'
26 CommandLine|contains: '--load-extension="*\Appdata\local\chrome"'
27 Image|endswith: '\chrome.exe'
28 condition: selection
29falsepositives:
30 - Unlikely
31level: high
References
-
This repository contains a list of new remediation scripts. - xephora/Threat-Remediation-Scripts
Read More -
Related rules
- Diamond Sleet APT Scheduled Task Creation
- Serpent Backdoor Payload Execution Via Scheduled Task
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Operation Wocao Activity
- Operation Wocao Activity - Security