Detection of Suspicious triggering of ErrorHandler.cmd Execution
Detects the persistence mechanism of triggering ErrorHandler.cmd execution upon the execution of specific binaries inside the oobe directory.
Sigma rule (View on GitHub)
1title: Detection of Suspicious triggering of ErrorHandler.cmd Execution
2id: 26421df5-d394-4226-bcc5-0e846636acec
3status: experimental
4description: Detects the persistence mechanism of triggering ErrorHandler.cmd execution upon the execution of specific binaries inside the oobe directory.
5references:
6 - https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
7author: '@kostastsale'
8date: 2024/08/02
9tags:
10 - attack.execution
11 - attack.persistence
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine|endswith:
18 - 'ErrorHandler.cmd'
19 ParentImage|endswith:
20 - '\System32\oobe\*.exe'
21 condition: selection
22falsepositives:
23 - Uknown
24level: high```
References
-
These days I post most of the new stuff on Twitter as no one reads blogs anymore, right? 🙂 Still, good to document some of it in a more permanent way so this is the persistence bit I posted about y...
Read More
Related rules
- ChromeLoader Malware Detection
- Detecting Ammy Admin RMM Agent Execution
- Detection of CMD Execution via AnyViewer RMM
- Scheduled task executing powershell encoded payload from registry
- Remote Service Creation