title: Dridex Process Pattern
id: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e
status: experimental
description: Detects typical Dridex process patterns
references:
    - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
author: Florian Roth
date: 2019/01/10
modified: 2020/09/01
tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1055
    - attack.discovery
    - attack.t1135
    - attack.t1033
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*'
    selection2:
        ParentImage: '*\svchost.exe*'
        CommandLine:
            - '*whoami.exe /all'
            - '*net.exe view'
    condition: 1 of them
falsepositives:
    - Unlikely
level: critical