Ursnif Redirection Of Discovery Commands

Jul 17, 2023 · attack.execution attack.T1059 ·

Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.

Sigma rule (View on GitHub)

 1title: Ursnif Redirection Of Discovery Commands
 2description: Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
 3status: experimental
 4date: 2023/07/16
 5author: \@kostastsale
 6references:
 7    - 
 8logsource:
 9    category: process_creation
10    product: windows
11detection:
12    selection1:
13        CommandLine|contains|all:
14            - '/C '
15            - ' >> *\appdata\local\temp\*.bin'
16        Image|endswith:
17            - '\cmd.exe'
18        ParentImage|endswith:
19            - '\explorer.exe'
20    condition: selection1
21falsepositives:
22    - Unlikely
23level: high
24tags:
25    - attack.execution
26    - attack.T1059```

Related rules

Suspicious Activity in Shell Commands
Suspicious Scan Loop Network
Arbitrary Command Execution Using WSL
Blue Mockingbird
CVE-2021-1675 Print Spooler Exploitation