Suspicious File Characteristics Due to Missing Fields
Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
Sigma rule (View on GitHub)
1title: Suspicious File Characteristics Due to Missing Fields
2id: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43
3status: test
4description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
5references:
6 - https://securelist.com/muddywater/88059/
7 - https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
8author: Markus Neis, Sander Wiebing
9date: 2018-11-22
10modified: 2022-10-09
11tags:
12 - attack.execution
13 - attack.t1059.006
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection1:
19 Description: '\?'
20 FileVersion: '\?'
21 selection2:
22 Description: '\?'
23 Product: '\?'
24 selection3:
25 Description: '\?'
26 Company: '\?'
27 folder:
28 Image|contains: '\Downloads\'
29 condition: (selection1 or selection2 or selection3) and folder
30fields:
31 - CommandLine
32 - ParentCommandLine
33falsepositives:
34 - Unknown
35level: medium
References
-
MuddyWater is a relatively new APT that surfaced in 2017. It has focused mainly on governmental targets in Iraq and Saudi Arabia, according to past telemetry. However, the group behind MuddyWater has been known to target other countries in the Middle East, Europe and the US.
Read More -
Related rules
- File Was Not Allowed To Run
- AteraAgent malicious installations
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType