Ursnif Redirection Of Discovery Commands
Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
Sigma rule (View on GitHub)
1title: Ursnif Redirection Of Discovery Commands
2id: 7aaa5739-12fc-41aa-b98b-23ec27d42bdf
3description: Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
4status: experimental
5date: 2023/07/16
6author: \@kostastsale
7references:
8 -
9logsource:
10 category: process_creation
11 product: windows
12detection:
13 selection1:
14 CommandLine|contains|all:
15 - '/C '
16 - ' >> *\appdata\local\temp\*.bin'
17 Image|endswith:
18 - '\cmd.exe'
19 ParentImage|endswith:
20 - '\explorer.exe'
21 condition: selection1
22falsepositives:
23 - Unlikely
24level: high
25tags:
26 - attack.execution
27 - attack.T1059```
Related rules
- Abuse of the Windows Server Update Services (WSUS) for lateral movement.
- ChromeLoader Malware Detection
- Detecting Ammy Admin RMM Agent Execution
- Detection of CMD Execution via AnyViewer RMM
- Detection of Suspicious triggering of ErrorHandler.cmd Execution