Potential DLL Injection Or Execution Using Tracker.exe
Detects potential DLL injection and execution using "Tracker.exe"
Sigma rule (View on GitHub)
1title: Potential DLL Injection Or Execution Using Tracker.exe
2id: 148431ce-4b70-403d-8525-fcc2993f29ea
3status: test
4description: Detects potential DLL injection and execution using "Tracker.exe"
5references:
6 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/
7author: 'Avneet Singh @v3t0_, oscd.community'
8date: 2020/10/18
9modified: 2023/01/09
10tags:
11 - attack.defense_evasion
12 - attack.t1055.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: '\tracker.exe'
19 - Description: 'Tracker'
20 selection_cli:
21 CommandLine|contains:
22 - ' /d '
23 - ' /c '
24 filter_msbuild1:
25 CommandLine|contains: ' /ERRORREPORT:PROMPT '
26 filter_msbuild2:
27 # Example:
28 # GrandparentImage: C:\Program Files\Microsoft Visual Studio\2022\Community\Msbuild\Current\Bin\MSBuild.exe
29 # ParentCommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\MSBuild.exe" /nologo /nodemode:1 /nodeReuse:true /low:false
30 # CommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Tracker.exe" @"C:\Users\user\AppData\Local\Temp\tmp05c7789bc5534838bf96d7a0fed1ffff.tmp" /c "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.29.30133\bin\HostX86\x64\Lib.exe"
31 ParentImage|endswith:
32 - '\Msbuild\Current\Bin\MSBuild.exe'
33 - '\Msbuild\Current\Bin\amd64\MSBuild.exe'
34 condition: all of selection_* and not 1 of filter_*
35falsepositives:
36 - Unknown
37level: medium
References
Related rules
- Mshta Executing from Registry
- Bumblebee WmiPrvSE execution pattern
- Enable WDigest using PowerShell (ps_module)
- Potential Winnti Dropper Activity
- Cisco File Deletion