title: DTRACK Process Creation
id: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4
status: experimental
description: Detects specific process parameters as seen in DTRACK infections
author: Florian Roth
date: 2019/10/30
references:
    - https://securelist.com/my-name-is-dtrack/93338/
    - https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/
    - https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine: '* echo EEEE > *'
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Unlikely
level: critical