Format.com FileSystem LOLBIN
Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs
Sigma rule (View on GitHub)
1title: Format.com FileSystem LOLBIN
2id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
3status: test
4description: Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs
5references:
6 - https://twitter.com/0gtweet/status/1477925112561209344
7 - https://twitter.com/wdormann/status/1478011052130459653?s=20
8author: Florian Roth (Nextron Systems)
9date: 2022/01/04
10tags:
11 - attack.defense_evasion
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\format.com'
18 CommandLine|contains: '/fs:'
19 filter:
20 CommandLine|contains:
21 - '/fs:FAT'
22 - '/fs:exFAT'
23 - '/fs:NTFS'
24 - '/fs:UDF'
25 - '/fs:ReFS'
26 condition: selection and not 1 of filter*
27falsepositives:
28 - Unknown
29level: high
References
Related rules
- ETW Logging Tamper In .NET Processes
- Execute From Alternate Data Streams
- HackTool - Covenant PowerShell Launcher
- HackTool - Empire PowerShell UAC Bypass
- MsiExec Web Install