Ursnif Redirection Of Discovery Commands

Aug 10, 2024 · attack.execution attack.T1059 ·

Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.

Sigma rule (View on GitHub)

 1title: Ursnif Redirection Of Discovery Commands
 2id: 7aaa5739-12fc-41aa-b98b-23ec27d42bdf
 3description: Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
 4status: experimental
 5date: 2023/07/16
 6author: \@kostastsale
 7references:
 8    - 
 9logsource:
10    category: process_creation
11    product: windows
12detection:
13    selection1:
14        CommandLine|contains|all:
15            - '/C '
16            - ' >> *\appdata\local\temp\*.bin'
17        Image|endswith:
18            - '\cmd.exe'
19        ParentImage|endswith:
20            - '\explorer.exe'
21    condition: selection1
22falsepositives:
23    - Unlikely
24level: high
25tags:
26    - attack.execution
27    - attack.T1059```

Related rules

Abuse of the Windows Server Update Services (WSUS) for lateral movement.
ChromeLoader Malware Detection
Detecting Ammy Admin RMM Agent Execution
Detection of CMD Execution via AnyViewer RMM
Detection of Suspicious triggering of ErrorHandler.cmd Execution