Suspicious File Characteristics Due to Missing Fields

calendar Oct 28, 2022 · attack.execution attack.t1059.006  ·
Share on: linkedin copy

Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe

Sigma rule (View on GitHub)

 1title: Suspicious File Characteristics Due to Missing Fields
 2id: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43
 3status: test
 4description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
 5references:
 6    - https://securelist.com/muddywater/88059/
 7    - https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
 8author: Markus Neis, Sander Wiebing
 9date: 2018/11/22
10modified: 2022/10/09
11tags:
12    - attack.execution
13    - attack.t1059.006
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection1:
19        Description: '\?'
20        FileVersion: '\?'
21    selection2:
22        Description: '\?'
23        Product: '\?'
24    selection3:
25        Description: '\?'
26        Company: '\?'
27    folder:
28        Image|contains: '\Downloads\'
29    condition: (selection1 or selection2 or selection3) and folder
30fields:
31    - CommandLine
32    - ParentCommandLine
33falsepositives:
34    - Unknown
35level: medium

References

  • MuddyWater expands operations

    MuddyWater is a relatively new APT that surfaced in 2017. It has focused mainly on governmental targets in Iraq and Saudi Arabia, according to past telemetry. However, the group behind MuddyWater has been known to target other countries in the Middle East, Europe and the US.


    Read More

  • VirusTotal

    VirusTotal


    Read More

Related rules

to-top