ChromeLoader Malware Detection
Detects execution of ChromeLoader malware via a registered scheduled task
Sigma rule (View on GitHub)
1title: ChromeLoader Malware Detection
2description: Detects execution of ChromeLoader malware via a registered scheduled task
3status: experimental
4date: 2022/01/10
5author: \@kostastsale
6references:
7 - https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER
8 - https://twitter.com/th3_protoCOL/status/1480621526764322817
9 - https://twitter.com/Kostastsale/status/1480716528421011458
10 - https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection1:
16 ParentCommandLine|contains:
17 - '-ExecutionPolicy Bypass -WindowStyle Hidden -E JAB'
18 ParentImage|endswith:
19 - '*\powershell.exe'
20 selection2:
21 CommandLine|contains:
22 - '--load-extension="*\Appdata\local\chrome"'
23 Image|endswith:
24 - '*\chrome.exe'
25 condition: selection1 and selection2
26falsepositives:
27 - Unlikely
28level: high
29tags:
30 - attack.execution
31 - attack.T1059.001
32 - attack.persistence
33 - attack.T1176
34 - attack.T1053.005