FakeUpdates/SocGholish Activity

calendar Aug 29, 2024 · attack.execution attack.t1059.001 detection.emerging-threats  ·
Share on: linkedin copy

Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.

Sigma rule (View on GitHub)

 1title: FakeUpdates/SocGholish Activity
 2id: 97805087-93ab-4203-b5cb-287cda6aecaa
 3status: experimental
 4description: Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.
 5references:
 6    - https://twitter.com/th3_protoCOL/status/1536788652889497600
 7    - https://twitter.com/1ZRR4H/status/1537501582727778304
 8author: '@kostastsale'
 9date: 2022-06-16
10modified: 2024-08-23
11tags:
12    - attack.execution
13    - attack.t1059.001
14    - detection.emerging-threats
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        ParentImage|endswith: '\wscript.exe'
21        ParentCommandLine|contains|all:
22            - '\AppData\Local\Temp'
23            - '.zip'
24            - 'update'
25            - '.js'
26        ParentCommandLine|contains:
27            - 'Chrome'
28            - 'Edge'
29            - 'Firefox'
30            - 'Opera'
31            - 'Brave' # Not seen in campaigns
32            - 'Vivaldi' # Not seen in campaigns
33        Image|endswith:
34            - '\cmd.exe'
35            - '\powershell.exe'
36            - '\pwsh.exe'
37    condition: selection
38falsepositives:
39    - Unlikely
40level: high

References

Related rules

to-top