Potentially Suspicious Child Process Of ClickOnce Application
Detects potentially suspicious child processes of a ClickOnce deployment application
Sigma rule (View on GitHub)
1title: Potentially Suspicious Child Process Of ClickOnce Application
2id: 67bc0e75-c0a9-4cfc-8754-84a505b63c04
3status: test
4description: Detects potentially suspicious child processes of a ClickOnce deployment application
5references:
6 - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-06-12
9tags:
10 - attack.execution
11 - attack.defense-evasion
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 ParentImage|contains: '\AppData\Local\Apps\2.0\'
18 Image|endswith:
19 # Add more suspicious processes
20 - '\calc.exe'
21 - '\cmd.exe'
22 - '\cscript.exe'
23 - '\explorer.exe'
24 - '\mshta.exe'
25 - '\net.exe'
26 - '\net1.exe'
27 - '\nltest.exe'
28 - '\notepad.exe'
29 - '\powershell.exe'
30 - '\pwsh.exe'
31 - '\reg.exe'
32 - '\regsvr32.exe'
33 - '\rundll32.exe'
34 - '\schtasks.exe'
35 - '\werfault.exe'
36 - '\wscript.exe'
37 condition: selection
38falsepositives:
39 - Unknown
40level: medium
References
-
The contents of this blogpost was written by Nick Powers (@zyn3rgy) and Steven Flores (@0xthirteen), and is a written version of the…
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Arbitrary File Download Via MSOHTMED.EXE