Uncommon Child Process Of Defaultpack.EXE
Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
Sigma rule (View on GitHub)
1title: Uncommon Child Process Of Defaultpack.EXE
2id: b2309017-4235-44fe-b5af-b15363011957
3status: test
4description: Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
5references:
6 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/
7 - https://www.echotrail.io/insights/search/defaultpack.exe
8author: frack113
9date: 2022/12/31
10modified: 2024/04/22
11tags:
12 - attack.t1218
13 - attack.defense_evasion
14 - attack.execution
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|endswith: '\DefaultPack.exe'
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
Related rules
- Potential Arbitrary File Download Via Cmdl32.EXE
- Potential Binary Proxy Execution Via Cdb.EXE
- Dllhost.EXE Initiated Network Connection To Non-Local IP Address
- Microsoft Sync Center Suspicious Network Connections
- Potential Compromised 3CXDesktopApp Execution