Uncommon FileSystem Load Attempt By Format.com

Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.

Sigma rule (View on GitHub)

 1title: Uncommon FileSystem Load Attempt By Format.com
 2id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
 3status: test
 4description: |
 5        Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
 6references:
 7    - https://twitter.com/0gtweet/status/1477925112561209344
 8    - https://twitter.com/wdormann/status/1478011052130459653?s=20
 9author: Florian Roth (Nextron Systems)
10date: 2022-01-04
11modified: 2024-05-13
12tags:
13    - attack.defense-evasion
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image|endswith: '\format.com'
20        CommandLine|contains: '/fs:'
21    filter_main_known_fs:
22        CommandLine|contains:
23            - '/fs:exFAT'
24            - '/fs:FAT'
25            - '/fs:NTFS'
26            - '/fs:ReFS'
27            - '/fs:UDF'
28    condition: selection and not 1 of filter_main_*
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top