Suspicious Program Names

calendar Oct 18, 2023 · attack.execution attack.t1059  ·
Share on: linkedin copy

Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools

Sigma rule (View on GitHub)

 1title: Suspicious Program Names
 2id: efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6
 3status: test
 4description: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
 7author: Florian Roth (Nextron Systems)
 8date: 2022/02/11
 9modified: 2023/03/22
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_image:
18        - Image|contains:
19              - '\CVE-202' # Update this when we reach the year 2100
20              - '\CVE202' # Update this when we reach the year 2100
21        - Image|endswith:
22              - '\poc.exe'
23              - '\artifact.exe'
24              - '\artifact64.exe'
25              - '\artifact_protected.exe'
26              - '\artifact32.exe'
27              - '\artifact32big.exe'
28              - 'obfuscated.exe'
29              - 'obfusc.exe'
30              - '\meterpreter'
31    selection_commandline:
32        CommandLine|contains:
33            - 'inject.ps1'
34            - 'Invoke-CVE'
35            - 'pupy.ps1'
36            - 'payload.ps1'
37            - 'beacon.ps1'
38            - 'PowerView.ps1'
39            - 'bypass.ps1'
40            - 'obfuscated.ps1'
41            - 'obfusc.ps1'
42            - 'obfus.ps1'
43            - 'obfs.ps1'
44            - 'evil.ps1'
45            - 'MiniDogz.ps1'
46            - '_enc.ps1'
47            - '\shell.ps1'
48            - '\rshell.ps1'
49            - 'revshell.ps1'
50            - '\av.ps1'
51            - '\av_test.ps1'
52            - 'adrecon.ps1'
53            - 'mimikatz.ps1'
54            - '\PowerUp_'
55            - 'powerup.ps1'
56            - '\Temp\a.ps1'
57            - '\Temp\p.ps1'
58            - '\Temp\1.ps1'
59            - 'Hound.ps1'
60            - 'encode.ps1'
61            - 'powercat.ps1'
62    condition: 1 of selection*
63fields:
64    - CommandLine
65    - ParentCommandLine
66    - CurrentDirectory
67falsepositives:
68    - Legitimate tools that accidentally match on the searched patterns
69level: high

References

Related rules

to-top