Writing Of Malicious Files To The Fonts Folder
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
Sigma rule (View on GitHub)
1title: Writing Of Malicious Files To The Fonts Folder
2id: ae9b0bd7-8888-4606-b444-0ed7410cb728
3status: test
4description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
5references:
6 - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
7author: Sreeman
8date: 2020/04/21
9modified: 2022/03/08
10tags:
11 - attack.t1211
12 - attack.t1059
13 - attack.defense_evasion
14 - attack.persistence
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection_1:
20 CommandLine|contains:
21 - 'echo'
22 - 'copy'
23 - 'type'
24 - 'file createnew'
25 - 'cacls'
26 selection_2:
27 CommandLine|contains: 'C:\Windows\Fonts\'
28 selection_3:
29 CommandLine|contains:
30 - '.sh'
31 - '.exe'
32 - '.dll'
33 - '.bin'
34 - '.bat'
35 - '.cmd'
36 - '.js'
37 - '.msh'
38 - '.reg'
39 - '.scr'
40 - '.ps'
41 - '.vb'
42 - '.jar'
43 - '.pl'
44 - '.inf'
45 - '.cpl'
46 - '.hta'
47 - '.msi'
48 - '.vbs'
49 condition: all of selection_*
50falsepositives:
51 - Unknown
52level: medium
References
-
A threat actor logged into the honeypot via RDP and installed XMRig with multiple persistence mechanisms. The actor used icacls and attrib to lock down directories and files to make … Read More
Read More
Related rules
- Suspicious Execution via macOS Script Editor
- Atbroker Registry Change
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- Huawei BGP Authentication Failures