Operator Bring Your Own Tools

 1title: Operator Bring Your Own Tools
 2id: dee0aaa1-b7d7-4be0-ac30-2add7b88d259
 3status: experimental
 4description: Detects use of custom scripts i.e. BAT files.
 5author: _pete_0, TheDFIRReport
 6references:
 7  - https://thedfirreport.com/
 8date: 2022-06-10
 9modified: 2024-02-23
10logsource:
11  category: process_creation
12  product: windows
13detection:
14  selection:
15    CommandLine|contains:
16      - adf.bat
17      - adfind.bat
18      - locker.bat
19      - kill.bat
20      - def.bat
21      - start.bat
22      - shadow.bat
23      - logdelete.bat
24      - closeapps.bat
25    Image|endswith:
26      - '\cmd.exe'
27  condition: selection
28fields:
29  - CommandLine
30falsepositives:
31  - Admin tools
32level: high
33tags:
34  - attack.command_and_control
35  - attack.t1105

References

• The DFIR Report

  

  Real Intrusions by Real Attackers, The Truth Behind the Intrusion

  
  Read More

Related rules

• Autoit3.exe Executable File Creation Matching DarkGate Behavior
• BITSAdmin Downloading Malicious Binaries (RedCanary Threat Detection Report)
• Certutil Downloading Malicious Binaries (RedCanary Threat Detection Report)
• Possible Raspberry Robin DLL Download Using msiexec (RedCanary Threat Detection Report)
• Suspicious Registry Key Added: LanmanServer Parameters