Uncommon FileSystem Load Attempt By Format.com
Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
Sigma rule (View on GitHub)
1title: Uncommon FileSystem Load Attempt By Format.com
2id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
3status: test
4description: |
5 Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
6references:
7 - https://twitter.com/0gtweet/status/1477925112561209344
8 - https://twitter.com/wdormann/status/1478011052130459653?s=20
9author: Florian Roth (Nextron Systems)
10date: 2022/01/04
11modified: 2024/05/13
12tags:
13 - attack.defense_evasion
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\format.com'
20 CommandLine|contains: '/fs:'
21 filter_main_known_fs:
22 CommandLine|contains:
23 - '/fs:exFAT'
24 - '/fs:FAT'
25 - '/fs:NTFS'
26 - '/fs:ReFS'
27 - '/fs:UDF'
28 condition: selection and not 1 of filter_main_*
29falsepositives:
30 - Unknown
31level: high
References
Related rules
- Security Service Disabled Via Reg.EXE
- Suspicious Executable File Creation
- Forest Blizzard APT - Process Creation Activity
- New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
- UAC Disabled