Writing Of Malicious Files To The Fonts Folder
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
Sigma rule (View on GitHub)
1title: Writing Of Malicious Files To The Fonts Folder
2id: ae9b0bd7-8888-4606-b444-0ed7410cb728
3status: test
4description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
5references:
6 - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
7author: Sreeman
8date: 2020-04-21
9modified: 2022-03-08
10tags:
11 - attack.t1211
12 - attack.t1059
13 - attack.defense-evasion
14 - attack.persistence
15 - attack.execution
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection_1:
21 CommandLine|contains:
22 - 'echo'
23 - 'copy'
24 - 'type'
25 - 'file createnew'
26 - 'cacls'
27 selection_2:
28 CommandLine|contains: 'C:\Windows\Fonts\'
29 selection_3:
30 CommandLine|contains:
31 - '.sh'
32 - '.exe'
33 - '.dll'
34 - '.bin'
35 - '.bat'
36 - '.cmd'
37 - '.js'
38 - '.msh'
39 - '.reg'
40 - '.scr'
41 - '.ps'
42 - '.vb'
43 - '.jar'
44 - '.pl'
45 - '.inf'
46 - '.cpl'
47 - '.hta'
48 - '.msi'
49 - '.vbs'
50 condition: all of selection_*
51falsepositives:
52 - Unknown
53level: medium
References
-
A threat actor logged into the honeypot via RDP and installed XMRig with multiple persistence mechanisms. The actor used icacls and attrib to lock down directories and files to make detection and e…
Read More
Related rules
- Suspicious Execution via macOS Script Editor
- Outlook EnableUnsafeClientMailRules Setting Enabled
- Suspicious Remote Child Process From Outlook
- Tasks Folder Evasion
- Elevated System Shell Spawned From Uncommon Parent Location