Writing Of Malicious Files To The Fonts Folder
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
Sigma rule (View on GitHub)
1title: Writing Of Malicious Files To The Fonts Folder
2id: ae9b0bd7-8888-4606-b444-0ed7410cb728
3status: test
4description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
5references:
6 - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
7author: Sreeman
8date: 2020-04-21
9modified: 2022-03-08
10tags:
11 - attack.t1211
12 - attack.t1059
13 - attack.defense-evasion
14 - attack.persistence
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection_1:
20 CommandLine|contains:
21 - 'echo'
22 - 'copy'
23 - 'type'
24 - 'file createnew'
25 - 'cacls'
26 selection_2:
27 CommandLine|contains: 'C:\Windows\Fonts\'
28 selection_3:
29 CommandLine|contains:
30 - '.sh'
31 - '.exe'
32 - '.dll'
33 - '.bin'
34 - '.bat'
35 - '.cmd'
36 - '.js'
37 - '.msh'
38 - '.reg'
39 - '.scr'
40 - '.ps'
41 - '.vb'
42 - '.jar'
43 - '.pl'
44 - '.inf'
45 - '.cpl'
46 - '.hta'
47 - '.msi'
48 - '.vbs'
49 condition: all of selection_*
50falsepositives:
51 - Unknown
52level: medium
References
-
A threat actor logged into the honeypot via RDP and installed XMRig with multiple persistence mechanisms. The actor used icacls and attrib to lock down directories and files to make detection and e…
Read More
Related rules
- Suspicious Execution via macOS Script Editor
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address