Potentially Suspicious Child Process of KeyScrambler.exe
Detects potentially suspicious child processes of KeyScrambler.exe
Sigma rule (View on GitHub)
1title: Potentially Suspicious Child Process of KeyScrambler.exe
2id: ca5583e9-8f80-46ac-ab91-7f314d13b984
3related:
4 - id: d2451be2-b582-4e15-8701-4196ac180260
5 type: similar
6status: test
7description: Detects potentially suspicious child processes of KeyScrambler.exe
8references:
9 - https://twitter.com/DTCERT/status/1712785421845790799
10author: Swachchhanda Shrawan Poudel
11date: 2024-05-13
12tags:
13 - attack.persistence
14 - attack.execution
15 - attack.defense-evasion
16 - attack.privilege-escalation
17 - attack.t1203
18 - attack.t1574.001
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_parent:
24 ParentImage|endswith: '\KeyScrambler.exe'
25 selection_binaries:
26 # Note: add additional binaries that the attacker might use
27 - Image|endswith:
28 - '\cmd.exe'
29 - '\cscript.exe'
30 - '\mshta.exe'
31 - '\powershell.exe'
32 - '\pwsh.exe'
33 - '\regsvr32.exe'
34 - '\rundll32.exe'
35 - '\wscript.exe'
36 - OriginalFileName:
37 - 'Cmd.Exe'
38 - 'cscript.exe'
39 - 'mshta.exe'
40 - 'PowerShell.EXE'
41 - 'pwsh.dll'
42 - 'regsvr32.exe'
43 - 'RUNDLL32.EXE'
44 - 'wscript.exe'
45 condition: all of selection_*
46falsepositives:
47 - Unknown
48level: medium
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Tasks Folder Evasion
- APT27 - Emissary Panda Activity
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation