SigmaHQ/rules/windows/process_creation/win_plugx_susp_exe_locations.yml

title: Executable Used by PlugX in Uncommon Location
id: aeab5ec5-be14-471a-80e8-e344418305c2
status: experimental
description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
references:
    - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
    - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
author: Florian Roth
date: 2017/06/12
tags:
    - attack.s0013
    - attack.defense_evasion
    - attack.t1073          # an old one
    - attack.t1574.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_cammute:
        Image: '*\CamMute.exe'
    filter_cammute:
        Image: 
          - '*\Lenovo\Communication Utility\\*'
          - '*\Lenovo\Communications Utility\\*'
    selection_chrome_frame:
        Image: '*\chrome_frame_helper.exe'
    filter_chrome_frame:
        Image: '*\Google\Chrome\application\\*'
    selection_devemu:
        Image: '*\dvcemumanager.exe'
    filter_devemu:
        Image: '*\Microsoft Device Emulator\\*'
    selection_gadget:
        Image: '*\Gadget.exe'
    filter_gadget:
        Image: '*\Windows Media Player\\*'
    selection_hcc:
        Image: '*\hcc.exe'
    filter_hcc:
        Image: '*\HTML Help Workshop\\*'
    selection_hkcmd:
        Image: '*\hkcmd.exe'
    filter_hkcmd:
        Image:
            - '*\System32\\*'
            - '*\SysNative\\*'
            - '*\SysWowo64\\*'
    selection_mc:
        Image: '*\Mc.exe'
    filter_mc:
        Image:
            - '*\Microsoft Visual Studio*'
            - '*\Microsoft SDK*'
            - '*\Windows Kit*'
    selection_msmpeng:
        Image: '*\MsMpEng.exe'
    filter_msmpeng:
        Image:
            - '*\Microsoft Security Client\\*'
            - '*\Windows Defender\\*'
            - '*\AntiMalware\\*'
    selection_msseces:
        Image: '*\msseces.exe'
    filter_msseces:
        Image:
            - '*\Microsoft Security Center\\*'
            - '*\Microsoft Security Client\\*'
            - '*\Microsoft Security Essentials\\*'
    selection_oinfo:
        Image: '*\OInfoP11.exe'
    filter_oinfo:
        Image: '*\Common Files\Microsoft Shared\\*'
    selection_oleview:
        Image: '*\OleView.exe'
    filter_oleview:
        Image:
            - '*\Microsoft Visual Studio*'
            - '*\Microsoft SDK*'
            - '*\Windows Kit*'
            - '*\Windows Resource Kit\\*'
    selection_rc:
        Image: '*\rc.exe'
    filter_rc:
        Image:
            - '*\Microsoft Visual Studio*'
            - '*\Microsoft SDK*'
            - '*\Windows Kit*'
            - '*\Windows Resource Kit\\*'
            - '*\Microsoft.NET\\*'
    condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Unknown
level: high
fix: fixed casing and long rule titles 2020-01-30 16:26:09 +00:00			`title: Executable Used by PlugX in Uncommon Location`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: aeab5ec5-be14-471a-80e8-e344418305c2`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`status: experimental`
			`description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location`
			`references:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/`
			`- https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`author: Florian Roth`
			`date: 2017/06/12`
Added missing tags and some minor improvements 2019-03-05 22:25:49 +00:00			`tags:`
			`- attack.s0013`
			`- attack.defense_evasion`
review windows/process_creation part 4 2020-09-02 00:34:34 +00:00			`- attack.t1073 # an old one`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1574.002`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`detection:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection_cammute:`
			`Image: '*\CamMute.exe'`
			`filter_cammute:`
fix: adding filter out for CamMute.exe 2021-04-01 08:39:40 +00:00			`Image:`
			`- '\Lenovo\Communication Utility\\'`
			`- '\Lenovo\Communications Utility\\'`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection_chrome_frame:`
			`Image: '*\chrome_frame_helper.exe'`
			`filter_chrome_frame:`
			`Image: '\Google\Chrome\application\\'`
			`selection_devemu:`
			`Image: '*\dvcemumanager.exe'`
			`filter_devemu:`
			`Image: '\Microsoft Device Emulator\\'`
			`selection_gadget:`
			`Image: '*\Gadget.exe'`
			`filter_gadget:`
			`Image: '\Windows Media Player\\'`
			`selection_hcc:`
			`Image: '*\hcc.exe'`
			`filter_hcc:`
			`Image: '\HTML Help Workshop\\'`
			`selection_hkcmd:`
			`Image: '*\hkcmd.exe'`
			`filter_hkcmd:`
			`Image:`
			`- '\System32\\'`
			`- '\SysNative\\'`
			`- '\SysWowo64\\'`
			`selection_mc:`
			`Image: '*\Mc.exe'`
			`filter_mc:`
			`Image:`
			`- '\Microsoft Visual Studio'`
			`- '\Microsoft SDK'`
			`- '\Windows Kit'`
			`selection_msmpeng:`
			`Image: '*\MsMpEng.exe'`
			`filter_msmpeng:`
			`Image:`
			`- '\Microsoft Security Client\\'`
			`- '\Windows Defender\\'`
			`- '\AntiMalware\\'`
			`selection_msseces:`
			`Image: '*\msseces.exe'`
			`filter_msseces:`
fix: fixed casing and long rule titles 2020-01-30 16:26:09 +00:00			`Image:`
Extended filter list provided by @Ov3rflow 2019-03-02 07:13:29 +00:00			`- '\Microsoft Security Center\\'`
			`- '\Microsoft Security Client\\'`
			`- '\Microsoft Security Essentials\\'`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection_oinfo:`
			`Image: '*\OInfoP11.exe'`
			`filter_oinfo:`
			`Image: '\Common Files\Microsoft Shared\\'`
			`selection_oleview:`
			`Image: '*\OleView.exe'`
			`filter_oleview:`
			`Image:`
			`- '\Microsoft Visual Studio'`
			`- '\Microsoft SDK'`
			`- '\Windows Kit'`
			`- '\Windows Resource Kit\\'`
			`selection_rc:`
			`Image: '*\rc.exe'`
			`filter_rc:`
			`Image:`
			`- '\Microsoft Visual Studio'`
			`- '\Microsoft SDK'`
			`- '\Windows Kit'`
			`- '\Windows Resource Kit\\'`
			`- '\Microsoft.NET\\'`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`fields:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- CommandLine`
			`- ParentCommandLine`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`falsepositives:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- Unknown`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`level: high`