Format.com FileSystem LOLBIN

calendar Feb 21, 2023 · attack.defense_evasion  ·
Share on: linkedin copy

Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs

Sigma rule (View on GitHub)

 1title: Format.com FileSystem LOLBIN
 2id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
 3status: test
 4description: Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs
 5references:
 6    - https://twitter.com/0gtweet/status/1477925112561209344
 7    - https://twitter.com/wdormann/status/1478011052130459653?s=20
 8author: Florian Roth (Nextron Systems)
 9date: 2022/01/04
10tags:
11    - attack.defense_evasion
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        Image|endswith: '\format.com'
18        CommandLine|contains: '/fs:'
19    filter:
20        CommandLine|contains:
21            - '/fs:FAT'
22            - '/fs:exFAT'
23            - '/fs:NTFS'
24            - '/fs:UDF'
25            - '/fs:ReFS'
26    condition: selection and not 1 of filter*
27falsepositives:
28    - Unknown
29level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top