FlawedGrace spawning threat injection target
Detecting the command FlawedGrace is using for the purpose of injecting into it the spawned process, in this case the cmd.exe process.
Sigma rule (View on GitHub)
1title: FlawedGrace spawning threat injection target
2id: 295e71e5-38c9-4a59-90dd-9fa7bf617b4b
3description: Detecting the command FlawedGrace is using for the purpose of injecting into it the spawned process, in this case the cmd.exe process.
4status: experimental
5date: 2023-06-12
6modified: 2024-02-23
7author: "@kostastsale, @TheDFIRReport"
8references:
9 - https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out
10logsource:
11 category: process_creation
12 product: windows
13detection:
14 selection_1:
15 Image|endswith: '\cmd.exe'
16 CommandLine|contains|all:
17 - ' /I '
18 - ' /SI '
19 selection_2:
20 Image|endswith: '\cmd.exe'
21 CommandLine|contains|all:
22 - ' /O '
23 - ' /SO '
24 condition: 1 of selection_*
25falsepositives:
26 - Unknown
27level: high
28tags:
29 - attack.defense-evasion #TA0005
30 - attack.t1055
31 - dist.public
References
-
In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment of …
Read More
Related rules
- Conhost Suspicious Command Execution
- JavaScript Execution Using MSDOS 8.3 File Notation
- Lummac Stealer Activity - Execution Of More.com And Vbc.exe
- HackTool - CoercedPotato Execution
- HackTool - EfsPotato Named Pipe Creation