Potential DLL Injection Or Execution Using Tracker.exe

 1title: Potential DLL Injection Or Execution Using Tracker.exe
 2id: 148431ce-4b70-403d-8525-fcc2993f29ea
 3status: test
 4description: Detects potential DLL injection and execution using "Tracker.exe"
 5references:
 6    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/
 7author: 'Avneet Singh @v3t0_, oscd.community'
 8date: 2020-10-18
 9modified: 2023-01-09
10tags:
11    - attack.defense-evasion
12    - attack.t1055.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith: '\tracker.exe'
19        - Description: 'Tracker'
20    selection_cli:
21        CommandLine|contains:
22            - ' /d '
23            - ' /c '
24    filter_msbuild1:
25        CommandLine|contains: ' /ERRORREPORT:PROMPT '
26    filter_msbuild2:
27        # Example:
28        #   GrandparentImage: C:\Program Files\Microsoft Visual Studio\2022\Community\Msbuild\Current\Bin\MSBuild.exe
29        #   ParentCommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\MSBuild.exe" /nologo /nodemode:1 /nodeReuse:true /low:false
30        #   CommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Tracker.exe" @"C:\Users\user\AppData\Local\Temp\tmp05c7789bc5534838bf96d7a0fed1ffff.tmp" /c "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.29.30133\bin\HostX86\x64\Lib.exe"
31        ParentImage|endswith:
32            - '\Msbuild\Current\Bin\MSBuild.exe'
33            - '\Msbuild\Current\Bin\amd64\MSBuild.exe'
34    condition: all of selection_* and not 1 of filter_*
35falsepositives:
36    - Unknown
37level: medium