Process Proxy Execution Via Squirrel.EXE
Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Sigma rule (View on GitHub)
1title: Process Proxy Execution Via Squirrel.EXE
2id: 45239e6a-b035-4aaf-b339-8ad379fcb67e
3related:
4 - id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c
5 type: similar
6 - id: fa4b21c9-0057-4493-b289-2556416ae4d7
7 type: obsolete
8status: test
9description: |
10 Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
11references:
12 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/
13 - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
14 - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
15author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
16date: 2022-06-09
17modified: 2023-11-09
18tags:
19 - attack.defense-evasion
20 - attack.execution
21 - attack.t1218
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_img:
27 Image|endswith:
28 - '\squirrel.exe'
29 - '\update.exe'
30 selection_exec:
31 CommandLine|contains:
32 - '--processStart'
33 - '--processStartAndWait'
34 - '--createShortcut'
35 filter_optional_discord:
36 CommandLine|contains|all:
37 - ':\Users\'
38 - '\AppData\Local\Discord\Update.exe'
39 - ' --processStart'
40 - 'Discord.exe'
41 filter_optional_github_desktop:
42 CommandLine|contains|all:
43 - ':\Users\'
44 - '\AppData\Local\GitHubDesktop\Update.exe'
45 - 'GitHubDesktop.exe'
46 CommandLine|contains:
47 - '--createShortcut'
48 - '--processStartAndWait'
49 filter_optional_teams:
50 CommandLine|contains|all:
51 - ':\Users\'
52 - '\AppData\Local\Microsoft\Teams\Update.exe'
53 - 'Teams.exe'
54 CommandLine|contains:
55 - '--processStart'
56 - '--createShortcut'
57 filter_optional_yammer:
58 CommandLine|contains|all:
59 - ':\Users\'
60 - '\AppData\Local\yammerdesktop\Update.exe'
61 - 'Yammer.exe'
62 CommandLine|contains:
63 - '--processStart'
64 - '--createShortcut'
65 condition: all of selection_* and not 1 of filter_optional_*
66falsepositives:
67 - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)
68level: medium
References
-
Squirrel.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
A week ago, or so I posted this Twit that refers to Slack’s executables as lolbins… I have already posted about it last year – the Slack’s update.exe is a nice lolbin, because it’s actually a Squir...
Read More -
Squirrel is an installation and update framework for Windows desktop apps. It is used by many applications (e.g. slack) and as a result can be found on many systems. Like other installers I describ...
Read More
Related rules
- Arbitrary File Download Via IMEWDBLD.EXE
- Arbitrary File Download Via MSEDGE_PROXY.EXE
- Arbitrary File Download Via Squirrel.EXE
- Potential File Download Via MS-AppInstaller Protocol Handler
- Potentially Suspicious Child Process Of VsCode