Renamed BOINC Client Execution
Detects the execution of a renamed BOINC binary.
Sigma rule (View on GitHub)
1title: Renamed BOINC Client Execution
2id: 30d07da2-83ab-45d8-ae75-ec7c0edcaffc
3status: experimental
4description: Detects the execution of a renamed BOINC binary.
5references:
6 - https://boinc.berkeley.edu/
7 - https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details
8 - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
9author: Matt Anderson (Huntress)
10date: 2024-07-23
11tags:
12 - attack.defense-evasion
13 - attack.t1553
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 OriginalFileName: 'BOINC.exe'
20 filter_main_legit_name:
21 Image|endswith: '\BOINC.exe'
22 condition: selection and not 1 of filter_main_*
23falsepositives:
24 - Unknown
25level: medium
References
-
-
-
Huntress has observed new behaviors in conjunction with the malware SocGholish. Read on to understand the implications of this threat and how you can better protect yourself.
Read More
Related rules
- Suspicious Execution via macOS Script Editor
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern