Arbitrary File Download Via Squirrel.EXE

calendar Nov 14, 2023 · attack.defense_evasion attack.execution attack.t1218  ·
Share on: linkedin copy

Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Sigma rule (View on GitHub)

 1title: Arbitrary File Download Via Squirrel.EXE
 2id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c
 3related:
 4    - id: 45239e6a-b035-4aaf-b339-8ad379fcb67e
 5      type: similar
 6    - id: fa4b21c9-0057-4493-b289-2556416ae4d7
 7      type: obsoletes
 8status: experimental
 9description: |
10        Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
11references:
12    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/
13    - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
14    - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
15author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
16date: 2022/06/09
17modified: 2023/11/09
18tags:
19    - attack.defense_evasion
20    - attack.execution
21    - attack.t1218
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_img:
27        Image|endswith:
28            - '\squirrel.exe'
29            - '\update.exe'
30    selection_download_cli:
31        CommandLine|contains:
32            - ' --download '
33            - ' --update '
34            - ' --updateRollback='
35    selection_download_http_keyword:
36        CommandLine|contains: 'http'
37    condition: all of selection_*
38falsepositives:
39    - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)
40level: medium

References

Related rules

to-top