Writing Of Malicious Files To The Fonts Folder

Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.

Sigma rule (View on GitHub)

 1title: Writing Of Malicious Files To The Fonts Folder
 2id: ae9b0bd7-8888-4606-b444-0ed7410cb728
 3status: test
 4description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
 5references:
 6    - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
 7author: Sreeman
 8date: 2020-04-21
 9modified: 2022-03-08
10tags:
11    - attack.t1211
12    - attack.t1059
13    - attack.defense-evasion
14    - attack.persistence
15logsource:
16    product: windows
17    category: process_creation
18detection:
19    selection_1:
20        CommandLine|contains:
21            - 'echo'
22            - 'copy'
23            - 'type'
24            - 'file createnew'
25            - 'cacls'
26    selection_2:
27        CommandLine|contains: 'C:\Windows\Fonts\'
28    selection_3:
29        CommandLine|contains:
30            - '.sh'
31            - '.exe'
32            - '.dll'
33            - '.bin'
34            - '.bat'
35            - '.cmd'
36            - '.js'
37            - '.msh'
38            - '.reg'
39            - '.scr'
40            - '.ps'
41            - '.vb'
42            - '.jar'
43            - '.pl'
44            - '.inf'
45            - '.cpl'
46            - '.hta'
47            - '.msi'
48            - '.vbs'
49    condition: all of selection_*
50falsepositives:
51    - Unknown
52level: medium

References

Related rules

to-top