SigmaHQ/rules/windows/process_creation/win_susp_squirrel_lolbin.yml

title: Squirrel Lolbin
status: experimental
description: Detects Possible Squirrel Packages Manager as Lolbin 
references:
    - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/  
tags:
    - attack.execution     
author: Karneades / Markus Neis
falsepositives:
    - 1Clipboard
    - Beaker Browser
    - Caret
    - Collectie
    - Discord
    - Figma
    - Flow
    - Ghost
    - GitHub Desktop
    - GitKraken
    - Hyper
    - Insomnia
    - JIBO
    - Kap
    - Kitematic
    - Now Desktop
    - Postman
    - PostmanCanary
    - Rambox
    - Simplenote
    - Skype
    - Slack
    - SourceTree
    - Stride
    - Svgsus
    - WebTorrent
    - WhatsApp
    - WordPress.com
    - atom
    - gitkraken
    - slack
    - teams
level: high
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image:
            - '*\update.exe'                           # Check if folder Name matches executed binary  \\(?P<first>[^\\]*)\\Update.*Start.{2}(?P<second>\1)\.exe (example: https://regex101.com/r/SGSQGz/2)
        CommandLine:
            - '*--processStart*.exe*'
            - '*–createShortcut*.exe*'
    condition: selection
-												Auto stash before rebase of "Neo23x0/master"
											
										
										
											2019-04-03 14:25:18 +00:00
+								title: Squirrel Lolbin
 								status: experimental
 								description: Detects Possible Squirrel Packages Manager as Lolbin
 								references:
 								    - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
 								tags:
 								    - attack.execution
 								author: Karneades / Markus Neis
 								falsepositives:
 								    - 1Clipboard
 								    - Beaker Browser
 								    - Caret
 								    - Collectie
 								    - Discord
 								    - Figma
 								    - Flow
 								    - Ghost
 								    - GitHub Desktop
 								    - GitKraken
 								    - Hyper
 								    - Insomnia
 								    - JIBO
 								    - Kap
 								    - Kitematic
 								    - Now Desktop
 								    - Postman
 								    - PostmanCanary
 								    - Rambox
 								    - Simplenote
 								    - Skype
 								    - Slack
 								    - SourceTree
 								    - Stride
 								    - Svgsus
 								    - WebTorrent
 								    - WhatsApp
 								    - WordPress.com
 								    - atom
 								    - gitkraken
 								    - slack
 								    - teams
 								level: high
 								logsource:
 								    category: process_creation
 								    product: windows
 								detection:
 								    selection:
 								        Image:
 								            - '*\update.exe'                           # Check if folder Name matches executed binary  \\(?P<first>[^\\]*)\\Update.*Start.{2}(?P<second>\1)\.exe (example: https://regex101.com/r/SGSQGz/2)
 								        CommandLine:
 								            - '*--processStart*.exe*'
 								            - '*–createShortcut*.exe*'
 								    condition: selection