Potentially Suspicious Child Process of KeyScrambler.exe
Detects potentially suspicious child processes of KeyScrambler.exe
Sigma rule (View on GitHub)
1title: Potentially Suspicious Child Process of KeyScrambler.exe
2id: ca5583e9-8f80-46ac-ab91-7f314d13b984
3related:
4 - id: d2451be2-b582-4e15-8701-4196ac180260
5 type: similar
6status: experimental
7description: Detects potentially suspicious child processes of KeyScrambler.exe
8references:
9 - https://twitter.com/DTCERT/status/1712785421845790799
10author: Swachchhanda Shrawan Poudel
11date: 2024-05-13
12tags:
13 - attack.execution
14 - attack.defense-evasion
15 - attack.privilege-escalation
16 - attack.t1203
17 - attack.t1574.002
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_parent:
23 ParentImage|endswith: '\KeyScrambler.exe'
24 selection_binaries:
25 # Note: add additional binaries that the attacker might use
26 - Image|endswith:
27 - '\cmd.exe'
28 - '\cscript.exe'
29 - '\mshta.exe'
30 - '\powershell.exe'
31 - '\pwsh.exe'
32 - '\regsvr32.exe'
33 - '\rundll32.exe'
34 - '\wscript.exe'
35 - OriginalFileName:
36 - 'Cmd.Exe'
37 - 'cscript.exe'
38 - 'mshta.exe'
39 - 'PowerShell.EXE'
40 - 'pwsh.dll'
41 - 'regsvr32.exe'
42 - 'RUNDLL32.EXE'
43 - 'wscript.exe'
44 condition: all of selection_*
45falsepositives:
46 - Unknown
47level: medium
References
Related rules
- Audit CVE Event
- CMSTP UAC Bypass via COM Object Access
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL