Ursnif Redirection Of Discovery Commands
Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
Sigma rule (View on GitHub)
1title: Ursnif Redirection Of Discovery Commands
2description: Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
3status: experimental
4date: 2023/07/16
5author: \@kostastsale
6references:
7 -
8logsource:
9 category: process_creation
10 product: windows
11detection:
12 selection1:
13 CommandLine|contains|all:
14 - '/C '
15 - ' >> *\appdata\local\temp\*.bin'
16 Image|endswith:
17 - '\cmd.exe'
18 ParentImage|endswith:
19 - '\explorer.exe'
20 condition: selection1
21falsepositives:
22 - Unlikely
23level: high
24tags:
25 - attack.execution
26 - attack.T1059```
Related rules
- Suspicious Activity in Shell Commands
- Suspicious Scan Loop Network
- Arbitrary Command Execution Using WSL
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation