title: Dridex Process Pattern status: experimental description: Detects typical Dridex process patterns references: - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 author: Florian Roth date: 2019/01/10 tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 logsource: category: process_creation product: windows detection: selection1: CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*' selection2: ParentImage: '*\svchost.exe*' CommandLine: - '*whoami.exe /all' - '*net.exe view' condition: 1 of them falsepositives: - Unlikely level: critical