Renamed BOINC Client Execution

Detects the execution of a renamed BOINC binary.

Sigma rule (View on GitHub)

 1title: Renamed BOINC Client Execution
 2id: 30d07da2-83ab-45d8-ae75-ec7c0edcaffc
 3status: experimental
 4description: Detects the execution of a renamed BOINC binary.
 5references:
 6    - https://boinc.berkeley.edu/
 7    - https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details
 8    - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
 9author: Matt Anderson (Huntress)
10date: 2024-07-23
11tags:
12    - attack.defense-evasion
13    - attack.t1553
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        OriginalFileName: 'BOINC.exe'
20    filter_main_legit_name:
21        Image|endswith: '\BOINC.exe'
22    condition: selection and not 1 of filter_main_*
23falsepositives:
24    - Unknown
25level: medium

References

Related rules

to-top