title: Formbook Process Creation id: 032f5fb3-d959-41a5-9263-4173c802dc2b status: experimental description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. author: Florian Roth date: 2019/09/30 modified: 2019/10/31 references: - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/ - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/ - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/ logsource: category: process_creation product: windows detection: selection: # Parent command line should not contain a space value # This avoids false positives not caused by process injection # e.g. wscript.exe /B sysmon-install.vbs ParentCommandLine: - 'C:\Windows\System32\\*.exe' - 'C:\Windows\SysWOW64\\*.exe' CommandLine|endswith: - ' /c del "C:\Users\\*\AppData\Local\Temp\\*.exe' - ' /c del "C:\Users\\*\Desktop\\*.exe' - ' /C type nul > "C:\Users\\*\Desktop\\*.exe' condition: selection fields: - CommandLine - ParentCommandLine falsepositives: - Unknown level: critical