Emotet Child Process Spawn Pattern

Jan 8, 2023 · attack.discovery attack.t1087 ·

Detects Emotet Spawning ipconfig and systeminfo.

Sigma rule (View on GitHub)

 1title: Emotet Child Process Spawn Pattern
 2id: 50e8cf53-62df-49aa-bbde-8b3a0a6d8a35
 3status: Experimental
 4description: Detects Emotet Spawning ipconfig and systeminfo. 
 5author:  TheDFIRReport
 6references:
 7  - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
 8  - Case 15184
 9date: 2022/10/03
10logsource:
11  category: process_creation
12  product: windows
13detection:
14  selection_image:
15    CommandLine:
16      - 'ipconfig /all'
17      - 'systeminfo'
18  selection_parent:
19    ParentImage|endswith:
20      - 'regsvr32.exe'
21  selection_parent_cmdline:
22    ParentCommandLine|contains:
23      - '.dll'
24  condition: selection_image and selection_parent and selection_parent_cmdline
25falsepositives:
26  - Unknown
27level: high
28tags:
29  - attack.discovery
30  - attack.t1087

References

Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware

In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of enumeration and lateral mo…

Read More
Case 15184

Read More

Related rules

CHCP CodePage Locale Lookup

Emotet Child Process Spawn Pattern

Sigma rule (View on GitHub)

References

Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware

Case 15184

Related rules