Emotet Child Process Spawn Pattern

Jan 8, 2023 · attack.discovery attack.t1087 ·

Detects Emotet Spawning ipconfig and systeminfo.

Sigma rule (View on GitHub)

 1title: Emotet Child Process Spawn Pattern
 2id: 50e8cf53-62df-49aa-bbde-8b3a0a6d8a35
 3status: Experimental
 4description: Detects Emotet Spawning ipconfig and systeminfo. 
 5author:  TheDFIRReport
 6references:
 7  - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
 8  - Case 15184
 9date: 2022/10/03
10logsource:
11  category: process_creation
12  product: windows
13detection:
14  selection_image:
15    CommandLine:
16      - 'ipconfig /all'
17      - 'systeminfo'
18  selection_parent:
19    ParentImage|endswith:
20      - 'regsvr32.exe'
21  selection_parent_cmdline:
22    ParentCommandLine|contains:
23      - '.dll'
24  condition: selection_image and selection_parent and selection_parent_cmdline
25falsepositives:
26  - Unknown
27level: high
28tags:
29  - attack.discovery
30  - attack.t1087

References

Emotet Strikes Again - LNK File Leads to Domain Wide Ransomware - The DFIR Report

In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of … Read More

Read More
Case 15184

Read More

Emotet Child Process Spawn Pattern

Sigma rule (View on GitHub)

References

Emotet Strikes Again - LNK File Leads to Domain Wide Ransomware - The DFIR Report

Case 15184

Related rules