FakeUpdates/SocGholish Malware Detection
Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.
Sigma rule (View on GitHub)
1title: FakeUpdates/SocGholish Malware Detection
2description: Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.
3status: experimental
4date: 2022/06/16
5author: '@kostastsale'
6references:
7 - https://twitter.com/th3_protoCOL/status/1536788652889497600
8 - https://twitter.com/1ZRR4H/status/1537501582727778304
9logsource:
10 category: process_creation
11 product: windows
12detection:
13 selection1:
14 ParentImage|endswith:
15 - '\wscript.exe'
16 Image|endswith:
17 - '\cmd.exe'
18 CommandLine|contains:
19 - '/c'
20 selection2:
21 ParentImage|endswith:
22 - '\wscript.exe'
23 Image|endswith:
24 - '\powershell.exe'
25 selection3:
26 ParentCommandLine|contains|all:
27 - 'Appdata\Local\Temp'
28 - '.zip'
29 - 'update'
30 - '.js'
31 selection4:
32 ParentCommandLine|contains:
33 - 'Chrome'
34 - 'Edge'
35 - 'Firefox'
36 - 'Opera'
37 - 'Brave' # Not seen in campaigns
38 - 'Vivaldi' # Not seen in campaigns
39 condition: (selection1 or selection2) and selection3 and selection4
40falsepositives:
41 - Unlikely
42level: high
43tags:
44 - attack.execution
45 - attack.T1059.001
References
Related rules
- Raspberry Robin initial execution from external drive
- Raspberry Robin subsequent execution of commands
- ChromeLoader Malware Detection
- Scheduled task executing powershell encoded payload from registry
- ms-msdt for RCE CVE-2022-30190