ChromeLoader Malware Detection
Detects execution of ChromeLoader malware via a registered scheduled task
Sigma rule (View on GitHub)
1title: ChromeLoader Malware Detection
2id: 0a74c5a9-1b71-4475-9af2-7829d320d5c2
3description: Detects execution of ChromeLoader malware via a registered scheduled task
4status: experimental
5date: 2022/01/10
6author: \@kostastsale
7references:
8 - https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER
9 - https://twitter.com/th3_protoCOL/status/1480621526764322817
10 - https://twitter.com/Kostastsale/status/1480716528421011458
11 - https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection1:
17 ParentCommandLine|contains:
18 - '-ExecutionPolicy Bypass -WindowStyle Hidden -E JAB'
19 ParentImage|endswith:
20 - '*\powershell.exe'
21 selection2:
22 CommandLine|contains:
23 - '--load-extension="*\Appdata\local\chrome"'
24 Image|endswith:
25 - '*\chrome.exe'
26 condition: selection1 and selection2
27falsepositives:
28 - Unlikely
29level: high
30tags:
31 - attack.execution
32 - attack.T1059.001
33 - attack.persistence
34 - attack.T1176
35 - attack.T1053.005
References
-
This repository contains a list of new remediation scripts. - xephora/Threat-Remediation-Scripts
Read More -
Related rules
- Detecting Ammy Admin RMM Agent Execution
- Detection of CMD Execution via AnyViewer RMM
- Detection of Suspicious triggering of ErrorHandler.cmd Execution
- FakeUpdates/SocGholish Malware Detection
- Raspberry Robin initial execution from external drive