Arbitrary File Download Via Squirrel.EXE
Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Sigma rule (View on GitHub)
1title: Arbitrary File Download Via Squirrel.EXE
2id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c
3related:
4 - id: 45239e6a-b035-4aaf-b339-8ad379fcb67e
5 type: similar
6 - id: fa4b21c9-0057-4493-b289-2556416ae4d7
7 type: obsoletes
8status: experimental
9description: |
10 Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
11references:
12 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/
13 - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
14 - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
15author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
16date: 2022/06/09
17modified: 2023/11/09
18tags:
19 - attack.defense_evasion
20 - attack.execution
21 - attack.t1218
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_img:
27 Image|endswith:
28 - '\squirrel.exe'
29 - '\update.exe'
30 selection_download_cli:
31 CommandLine|contains:
32 - ' --download '
33 - ' --update '
34 - ' --updateRollback='
35 selection_download_http_keyword:
36 CommandLine|contains: 'http'
37 condition: all of selection_*
38falsepositives:
39 - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)
40level: medium
References
Related rules
- Arbitrary File Download Via IMEWDBLD.EXE
- Arbitrary File Download Via MSEDGE_PROXY.EXE
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE
- Arbitrary File Download Via PresentationHost.EXE