Operator Bring Your Own Tools
Detects use of custom scripts i.e. BAT files.
Sigma rule (View on GitHub)
1title: Operator Bring Your Own Tools
2id: dee0aaa1-b7d7-4be0-ac30-2add7b88d259
3status: experimental
4description: Detects use of custom scripts i.e. BAT files.
5author: _pete_0, TheDFIRReport
6references:
7 - https://thedfirreport.com/
8date: 2022-06-10
9modified: 2024-02-23
10logsource:
11 category: process_creation
12 product: windows
13detection:
14 selection:
15 Image|endswith: '\cmd.exe'
16 CommandLine|contains:
17 - adf.bat
18 - adfind.bat
19 - locker.bat
20 - kill.bat
21 - def.bat
22 - start.bat
23 - shadow.bat
24 - logdelete.bat
25 - closeapps.bat
26 condition: selection
27fields:
28 - CommandLine
29falsepositives:
30 - Admin tools
31level: high
32tags:
33 - attack.command-and-control
34 - attack.t1105
yaml
References
Related rules
- Suspicious Invoke-WebRequest Execution
- PUA - Nimgrab Execution
- Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- File Download From IP Based URL Via CertOC.EXE