PUA - Mouse Lock Execution
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
Sigma rule (View on GitHub)
1title: PUA - Mouse Lock Execution
2id: c9192ad9-75e5-43eb-8647-82a0a5b493e3
3status: test
4description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
5references:
6 - https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf
7 - https://sourceforge.net/projects/mouselock/
8author: Cian Heasley
9date: 2020-08-13
10modified: 2023-02-21
11tags:
12 - attack.credential-access
13 - attack.collection
14 - attack.t1056.002
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection:
20 - Product|contains: 'Mouse Lock'
21 - Company|contains: 'Misc314'
22 - CommandLine|contains: 'Mouse Lock_'
23 condition: selection
24falsepositives:
25 - Legitimate uses of Mouse Lock software
26level: medium
References
Related rules
- Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
- Potential PetitPotam Attack Via EFS RPC Calls
- APT31 Judgement Panda Activity
- Attempts of Kerberos Coercion Via DNS SPN Spoofing
- DNS Query Request To OneLaunch Update Service