PCRE.NET Package Temp Files
Detects processes creating temp files related to PCRE.NET package
Sigma rule (View on GitHub)
1title: PCRE.NET Package Temp Files
2id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da
3status: test
4description: Detects processes creating temp files related to PCRE.NET package
5references:
6 - https://twitter.com/rbmaslen/status/1321859647091970051
7 - https://twitter.com/tifkin_/status/1321916444557365248
8author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
9date: 2020/10/29
10modified: 2022/10/09
11tags:
12 - attack.execution
13 - attack.t1059
14logsource:
15 category: file_event
16 product: windows
17detection:
18 selection:
19 TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
References
Related rules
- Abuse of the Windows Server Update Services (WSUS) for lateral movement.
- FakeUpdates/SocGholish Malware Detection
- Scheduled task executing powershell encoded payload from registry
- ms-msdt for RCE CVE-2022-30190
- ms-msdt for RCE - sdiagnhost.exe spawning command