Uncommon Child Process Of Defaultpack.EXE
Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
Sigma rule (View on GitHub)
1title: Uncommon Child Process Of Defaultpack.EXE
2id: b2309017-4235-44fe-b5af-b15363011957
3status: test
4description: Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
5references:
6 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/
7 - https://www.echotrail.io/insights/search/defaultpack.exe
8author: frack113
9date: 2022/12/31
10modified: 2024/04/22
11tags:
12 - attack.t1218
13 - attack.defense_evasion
14 - attack.execution
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|endswith: '\DefaultPack.exe'
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
-
.. /DefaultPack.EXE Star Execute This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set...
Read More
Related rules
- Potential Arbitrary File Download Via Cmdl32.EXE
- Potential Binary Proxy Execution Via Cdb.EXE
- Dllhost.EXE Initiated Network Connection To Non-Local IP Address
- Microsoft Sync Center Suspicious Network Connections
- Potential Compromised 3CXDesktopApp Execution