DarkGate - Drop DarkGate Loader In C:\Temp Directory
Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
Sigma rule (View on GitHub)
1title: DarkGate - Drop DarkGate Loader In C:\Temp Directory
2id: df49c691-8026-48dd-94d3-4ba6a79102a8
3status: experimental
4description: Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
5references:
6 - https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/
7 - https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html
8author: Tomasz Dyduch, Josh Nickels
9date: 2024/05/31
10tags:
11 - attack.execution
12 - attack.t1059
13logsource:
14 category: file_event
15 product: windows
16detection:
17 selection_filename_suffix:
18 TargetFilename|contains: ':\temp\'
19 TargetFilename|endswith:
20 - '.au3'
21 - '\autoit3.exe'
22 selection_image_suffix:
23 Image|contains: ':\temp\'
24 Image|endswith:
25 - '.au3'
26 - '\autoit3.exe'
27 condition: 1 of selection_*
28falsepositives:
29 - Unlikely legitimate usage of AutoIT in temp folders.
30level: medium
References
-
A new wave of attacks by the DarkGate malware operation exploits a now-fixed Windows Defender SmartScreen vulnerability to bypass security checks and automatically install fake software installers.
Read More -
CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
The decrypted request content is as follows: 1000|87|283|Yes|6.1.7|||" Conclusion In this research, a follow-up to our Water Hydra APT Zero Day campaign analysis, we explored how the DarkGate opera...
Read More
Related rules
- Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- Python Spawning Pretty TTY
- Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- Potential Arbitrary Command Execution Via FTP.EXE
- Wscript Shell Run In CommandLine