title: Executable used by PlugX in Uncommon Location status: experimental description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location references: - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/' - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/' author: Florian Roth date: 2017/06/12 logsource: product: windows service: security detection: # CamMute selection_cammute: EventID: 4688 ProcessCommandLine: '*\CamMute.exe' filter_cammute: EventID: 4688 ProcessCommandLine: '*\Lenovo\Communication Utility\*' # Chrome Frame Helper selection_chrome_frame: EventID: 4688 ProcessCommandLine: '*\chrome_frame_helper.exe' filter_chrome_frame: EventID: 4688 ProcessCommandLine: '*\Google\Chrome\application\*' # Microsoft Device Emulator selection_devemu: EventID: 4688 ProcessCommandLine: '*\dvcemumanager.exe' filter_devemu: EventID: 4688 ProcessCommandLine: '*\Microsoft Device Emulator\*' # Windows Media Player Gadget selection_gadget: EventID: 4688 ProcessCommandLine: '*\Gadget.exe' filter_gadget: EventID: 4688 ProcessCommandLine: '*\Windows Media Player\*' # HTML Help Workshop selection_hcc: EventID: 4688 ProcessCommandLine: '*\hcc.exe' filter_hcc: EventID: 4688 ProcessCommandLine: '*\HTML Help Workshop\*' # Hotkey Command Module for Intel Graphics Contollers selection_hkcmd: EventID: 4688 ProcessCommandLine: '*\hkcmd.exe' filter_hkcmd: EventID: 4688 ProcessCommandLine: - '*\System32\*' - '*\SysNative\*' - '*\SysWowo64\*' # McAfee component selection_mc: EventID: 4688 ProcessCommandLine: '*\Mc.exe' filter_mc: EventID: 4688 ProcessCommandLine: - '*\Microsoft Visual Studio*' - '*\Microsoft SDK*' - '*\Windows Kit*' # MsMpEng - Microsoft Malware Protection Engine selection_msmpeng: EventID: 4688 ProcessCommandLine: '*\MsMpEng.exe' filter_msmpeng: EventID: 4688 ProcessCommandLine: - '*\Microsoft Security Client\*' - '*\Windows Defender\*' - '*\AntiMalware\*' # Microsoft Security Center selection_msseces: EventID: 4688 ProcessCommandLine: '*\msseces.exe' filter_msseces: EventID: 4688 ProcessCommandLine: '*\Microsoft Security Center\*' # Microsoft Office 2003 OInfo selection_oinfo: EventID: 4688 ProcessCommandLine: '*\OInfoP11.exe' filter_oinfo: EventID: 4688 ProcessCommandLine: '*\Common Files\Microsoft Shared\*' # OLE View selection_oleview: EventID: 4688 ProcessCommandLine: '*\OleView.exe' filter_oleview: EventID: 4688 ProcessCommandLine: - '*\Microsoft Visual Studio*' - '*\Microsoft SDK*' - '*\Windows Kit*' - '*\Windows Resource Kit\*' # RC selection_rc: EventID: 4688 ProcessCommandLine: '*\OleView.exe' filter_rc: EventID: 4688 ProcessCommandLine: - '*\Microsoft Visual Studio*' - '*\Microsoft SDK*' - '*\Windows Kit*' - '*\Windows Resource Kit\*' - '*\Microsoft.NET\*' condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc ) falsepositives: - Unknown level: high