HackTool - GMER Rootkit Detector and Remover Execution

calendar Aug 12, 2024 · attack.defense-evasion  ·
Share on: linkedin copy

Detects the execution GMER tool based on image and hash fields.

Sigma rule (View on GitHub)

 1title: HackTool - GMER Rootkit Detector and Remover Execution
 2id: 9082ff1f-88ab-4678-a3cc-5bcff99fc74d
 3status: test
 4description: Detects the execution GMER tool based on image and hash fields.
 5references:
 6    - http://www.gmer.net/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-10-05
 9modified: 2023-02-13
10tags:
11    - attack.defense-evasion
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection_img:
17        Image|endswith: '\gmer.exe'
18    selection_sysmon_hash:
19        Hashes|contains:
20            - 'MD5=E9DC058440D321AA17D0600B3CA0AB04'
21            - 'SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57'
22            - 'SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173'
23    selection_other:
24        - md5: 'e9dc058440d321aa17d0600b3ca0ab04'
25        - sha1: '539c228b6b332f5aa523e5ce358c16647d8bbe57'
26        - sha256: 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'
27    condition: 1 of selection_*
28falsepositives:
29    - Unlikely
30level: high

References

  • GMER

    GMER Pages ▼ No posts. No posts. Home View web version Powered by Blogger.


    Read More

Related rules

to-top