Potential DLL Injection Or Execution Using Tracker.exe

 1title: Potential DLL Injection Or Execution Using Tracker.exe
 2id: 148431ce-4b70-403d-8525-fcc2993f29ea
 3status: test
 4description: Detects potential DLL injection and execution using "Tracker.exe"
 5references:
 6    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/
 7author: 'Avneet Singh @v3t0_, oscd.community'
 8date: 2020-10-18
 9modified: 2023-01-09
10tags:
11    - attack.privilege-escalation
12    - attack.defense-evasion
13    - attack.t1055.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\tracker.exe'
20        - Description: 'Tracker'
21    selection_cli:
22        CommandLine|contains:
23            - ' /d '
24            - ' /c '
25    filter_msbuild1:
26        CommandLine|contains: ' /ERRORREPORT:PROMPT '
27    filter_msbuild2:
28        # Example:
29        #   GrandparentImage: C:\Program Files\Microsoft Visual Studio\2022\Community\Msbuild\Current\Bin\MSBuild.exe
30        #   ParentCommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\MSBuild.exe" /nologo /nodemode:1 /nodeReuse:true /low:false
31        #   CommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Tracker.exe" @"C:\Users\user\AppData\Local\Temp\tmp05c7789bc5534838bf96d7a0fed1ffff.tmp" /c "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.29.30133\bin\HostX86\x64\Lib.exe"
32        ParentImage|endswith:
33            - '\Msbuild\Current\Bin\MSBuild.exe'
34            - '\Msbuild\Current\Bin\amd64\MSBuild.exe'
35    condition: all of selection_* and not 1 of filter_*
36falsepositives:
37    - Unknown
38level: medium