Emotet loader execution via .lnk file
Detects the latest emotet loader as reported by @malware_traffic. The .lnk file was delivered via phishing campaign.
Sigma rule (View on GitHub)
1title: Emotet loader execution via .lnk file
2description: Detects the latest emotet loader as reported by @malware_traffic. The .lnk file was delivered via phishing campaign.
3status: experimental
4date: 2022/04/22
5author: \@kostastsale
6references:
7 - https://twitter.com/malware_traffic/status/1517622327000846338
8 - https://twitter.com/Cryptolaemus1/status/1517634855940632576
9 - https://tria.ge/220422-1pw1pscfdl/
10 - https://tria.ge/220422-1nnmyagdf2/
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection1:
16 ParentImage:
17 - '*\cmd.exe'
18 - '*\powershell.exe'
19 - '*\explorer.exe'
20 Image:
21 - '*\cmd.exe'
22 - '*\powershell.exe'
23 CommandLine|contains|all:
24 - 'findstr'
25 - '.vbs'
26 - '.lnk'
27 condition: selection1
28falsepositives:
29 - Unlikely
30level: high
31tags:
32 - attack.execution
33 - attack.T1059.006```