PCRE.NET Package Temp Files

 1title: PCRE.NET Package Temp Files
 2id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da
 3status: test
 4description: Detects processes creating temp files related to PCRE.NET package
 5references:
 6    - https://twitter.com/rbmaslen/status/1321859647091970051
 7    - https://twitter.com/tifkin_/status/1321916444557365248
 8author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 9date: 2020/10/29
10modified: 2022/10/09
11tags:
12    - attack.execution
13    - attack.t1059
14logsource:
15    category: file_event
16    product: windows
17detection:
18    selection:
19        TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
20    condition: selection
21falsepositives:
22    - Unknown
23level: high

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• Abuse of the Windows Server Update Services (WSUS) for lateral movement.
• FakeUpdates/SocGholish Malware Detection
• Scheduled task executing powershell encoded payload from registry
• ms-msdt for RCE CVE-2022-30190
• ms-msdt for RCE - sdiagnhost.exe spawning command