title: Squirrel Lolbin id: fa4b21c9-0057-4493-b289-2556416ae4d7 status: experimental description: Detects Possible Squirrel Packages Manager as Lolbin references: - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ tags: - attack.execution - attack.defense_evasion - attack.t1218 author: Karneades / Markus Neis date: 2019/11/12 modified: 2020/08/28 falsepositives: - 1Clipboard - Beaker Browser - Caret - Collectie - Discord - Figma - Flow - Ghost - GitHub Desktop - GitKraken - Hyper - Insomnia - JIBO - Kap - Kitematic - Now Desktop - Postman - PostmanCanary - Rambox - Simplenote - Skype - Slack - SourceTree - Stride - Svgsus - WebTorrent - WhatsApp - WordPress.com - atom - gitkraken - slack - teams level: high logsource: category: process_creation product: windows detection: selection: Image: - '*\update.exe' # Check if folder Name matches executed binary \\(?P[^\\]*)\\Update.*Start.{2}(?P\1)\.exe (example: https://regex101.com/r/SGSQGz/2) CommandLine: - '*--processStart*.exe*' - '*--processStartAndWait*.exe*' - '*--createShortcut*.exe*' condition: selection