PCRE.NET Package Image Load
Detects processes loading modules related to PCRE.NET package
Sigma rule (View on GitHub)
1title: PCRE.NET Package Image Load
2id: 84b0a8f3-680b-4096-a45b-e9a89221727c
3status: test
4description: Detects processes loading modules related to PCRE.NET package
5references:
6 - https://twitter.com/rbmaslen/status/1321859647091970051
7 - https://twitter.com/tifkin_/status/1321916444557365248
8author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
9date: 2020-10-29
10modified: 2022-10-09
11tags:
12 - attack.execution
13 - attack.t1059
14logsource:
15 category: image_load
16 product: windows
17detection:
18 selection:
19 ImageLoaded|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
References
Related rules
- Abusable DLL Potential Sideloading From Suspicious Location
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Atlassian Confluence CVE-2022-26134
- Azure New CloudShell Created