Ursnif Redirection Of Discovery Commands
Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
Sigma rule (View on GitHub)
1title: Ursnif Redirection Of Discovery Commands
2id: 7aaa5739-12fc-41aa-b98b-23ec27d42bdf
3status: test
4description: |
5 Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
6references:
7 - Internal Research
8author: '@kostastsale'
9date: 2023-07-16
10tags:
11 - attack.execution
12 - attack.t1059
13 - detection.emerging-threats
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\explorer.exe'
20 Image|endswith: '\cmd.exe'
21 CommandLine|contains|all:
22 - '/C '
23 - ' >> *\AppData\local\temp\*.bin'
24 condition: selection
25falsepositives:
26 - Unlikely
27level: high
References
Related rules
- DarkGate - Autoit3.EXE Execution Parameters
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)