Potential SNAKE Malware Persistence Service Execution

 1title: Potential SNAKE Malware Persistence Service Execution
 2id: f7536642-4a08-4dd9-b6d5-c3286d8975ed
 3status: test
 4description: Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.
 5references:
 6    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/05/04
 9tags:
10    - attack.execution
11    - detection.emerging_threats
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        ParentImage|endswith: '\services.exe'
18        Image|startswith: 'C:\Windows\WinSxS\'
19        Image|endswith: '\WerFault.exe'
20    condition: selection
21falsepositives:
22    - Unknown
23level: high

References

• ÈÌ)-_0±çº~˜! Ø s(,2QPƉhÜÇÏ3¶|ˆ–}Iøç¹&·œÚÛ;†›„'ΕT H®2c•üä…Ò_åjÈhõ£WCcâ3 Lîý2OjÄp(š»AÙÞɳ¨¤ÂïíûË7>g‰²� ß&�Ã�M-pïA[~§Æ¹ÔÌ ÑùEÀ¼ *\?õEÂD„ĵNšæ°úþ,$ØkÜ…›÷ºz¾%}_ü“0['.Ý& )V:x¹´¼ª¶®aX...

  
  Read More

Related rules

• MSMQ Corrupted Packet Encountered
• Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
• Potential APT FIN7 Related PowerShell Script Created
• Potential CVE-2023-21554 QueueJumper Exploitation
• Potential SNAKE Malware Installation Binary Indicator