PCRE.NET Package Temp Files

Aug 12, 2024 · attack.execution attack.t1059 ·

Detects processes creating temp files related to PCRE.NET package

Sigma rule (View on GitHub)

 1title: PCRE.NET Package Temp Files
 2id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da
 3status: test
 4description: Detects processes creating temp files related to PCRE.NET package
 5references:
 6    - https://twitter.com/rbmaslen/status/1321859647091970051
 7    - https://twitter.com/tifkin_/status/1321916444557365248
 8author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 9date: 2020-10-29
10modified: 2022-10-09
11tags:
12    - attack.execution
13    - attack.t1059
14logsource:
15    category: file_event
16    product: windows
17detection:
18    selection:
19        TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
20    condition: selection
21falsepositives:
22    - Unknown
23level: high

References

x.com

Read More
x.com

Read More

Related rules

Abusable DLL Potential Sideloading From Suspicious Location
Add Insecure Download Source To Winget
Add New Download Source To Winget
Atlassian Confluence CVE-2022-26134
Azure New CloudShell Created

PCRE.NET Package Temp Files

Sigma rule (View on GitHub)

References

x.com

x.com

Related rules