Potentially Suspicious Child Process of KeyScrambler.exe

Detects potentially suspicious child processes of KeyScrambler.exe

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Child Process of KeyScrambler.exe
 2id: ca5583e9-8f80-46ac-ab91-7f314d13b984
 3related:
 4    - id: d2451be2-b582-4e15-8701-4196ac180260
 5      type: similar
 6status: experimental
 7description: Detects potentially suspicious child processes of KeyScrambler.exe
 8references:
 9    - https://twitter.com/DTCERT/status/1712785421845790799
10author: Swachchhanda Shrawan Poudel
11date: 2024-05-13
12tags:
13    - attack.execution
14    - attack.defense-evasion
15    - attack.privilege-escalation
16    - attack.t1203
17    - attack.t1574.002
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_parent:
23        ParentImage|endswith: '\KeyScrambler.exe'
24    selection_binaries:
25        # Note: add additional binaries that the attacker might use
26        - Image|endswith:
27              - '\cmd.exe'
28              - '\cscript.exe'
29              - '\mshta.exe'
30              - '\powershell.exe'
31              - '\pwsh.exe'
32              - '\regsvr32.exe'
33              - '\rundll32.exe'
34              - '\wscript.exe'
35        - OriginalFileName:
36              - 'Cmd.Exe'
37              - 'cscript.exe'
38              - 'mshta.exe'
39              - 'PowerShell.EXE'
40              - 'pwsh.dll'
41              - 'regsvr32.exe'
42              - 'RUNDLL32.EXE'
43              - 'wscript.exe'
44    condition: all of selection_*
45falsepositives:
46    - Unknown
47level: medium

References

Related rules

to-top