HackTool - GMER Rootkit Detector and Remover Execution

calendar Nov 25, 2024 · attack.defense-evasion  ·
Share on: linkedin copy

Detects the execution GMER tool based on image and hash fields.

Sigma rule (View on GitHub)

 1title: HackTool - GMER Rootkit Detector and Remover Execution
 2id: 9082ff1f-88ab-4678-a3cc-5bcff99fc74d
 3status: test
 4description: Detects the execution GMER tool based on image and hash fields.
 5references:
 6    - http://www.gmer.net/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-10-05
 9modified: 2024-11-23
10tags:
11    - attack.defense-evasion
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection_img:
17        Image|endswith: '\gmer.exe'
18    selection_sysmon_hash:
19        Hashes|contains:
20            - 'MD5=E9DC058440D321AA17D0600B3CA0AB04'
21            - 'SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57'
22            - 'SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173'
23    condition: 1 of selection_*
24falsepositives:
25    - Unlikely
26level: high

References

  • GMER

    GMER Pages ▼ No posts. No posts. Home View web version Powered by Blogger.


    Read More

Related rules

to-top