FakeUpdates/SocGholish Malware Detection
Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.
Sigma rule (View on GitHub)
1title: FakeUpdates/SocGholish Malware Detection
2id: 97805087-93ab-4203-b5cb-287cda6aecaa
3description: Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.
4status: experimental
5date: 2022/06/16
6author: '@kostastsale'
7references:
8 - https://twitter.com/th3_protoCOL/status/1536788652889497600
9 - https://twitter.com/1ZRR4H/status/1537501582727778304
10logsource:
11 category: process_creation
12 product: windows
13detection:
14 selection1:
15 ParentImage|endswith:
16 - '\wscript.exe'
17 Image|endswith:
18 - '\cmd.exe'
19 CommandLine|contains:
20 - '/c'
21 selection2:
22 ParentImage|endswith:
23 - '\wscript.exe'
24 Image|endswith:
25 - '\powershell.exe'
26 selection3:
27 ParentCommandLine|contains|all:
28 - 'Appdata\Local\Temp'
29 - '.zip'
30 - 'update'
31 - '.js'
32 selection4:
33 ParentCommandLine|contains:
34 - 'Chrome'
35 - 'Edge'
36 - 'Firefox'
37 - 'Opera'
38 - 'Brave' # Not seen in campaigns
39 - 'Vivaldi' # Not seen in campaigns
40 condition: (selection1 or selection2) and selection3 and selection4
41falsepositives:
42 - Unlikely
43level: high
44tags:
45 - attack.execution
46 - attack.T1059.001
References
Related rules
- ChromeLoader Malware Detection
- Raspberry Robin initial execution from external drive
- Raspberry Robin subsequent execution of commands
- Abuse of the Windows Server Update Services (WSUS) for lateral movement.
- Detecting Ammy Admin RMM Agent Execution