mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 02:08:54 +00:00
219f00e3fb
Implements #418
58 lines
1.4 KiB
YAML
58 lines
1.4 KiB
YAML
title: Squirrel Lolbin
|
||
status: experimental
|
||
description: Detects Possible Squirrel Packages Manager as Lolbin
|
||
references:
|
||
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
|
||
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
|
||
tags:
|
||
- attack.execution
|
||
author: Karneades / Markus Neis
|
||
falsepositives:
|
||
- 1Clipboard
|
||
- Beaker Browser
|
||
- Caret
|
||
- Collectie
|
||
- Discord
|
||
- Figma
|
||
- Flow
|
||
- Ghost
|
||
- GitHub Desktop
|
||
- GitKraken
|
||
- Hyper
|
||
- Insomnia
|
||
- JIBO
|
||
- Kap
|
||
- Kitematic
|
||
- Now Desktop
|
||
- Postman
|
||
- PostmanCanary
|
||
- Rambox
|
||
- Simplenote
|
||
- Skype
|
||
- Slack
|
||
- SourceTree
|
||
- Stride
|
||
- Svgsus
|
||
- WebTorrent
|
||
- WhatsApp
|
||
- WordPress.com
|
||
- atom
|
||
- gitkraken
|
||
- slack
|
||
- teams
|
||
level: high
|
||
logsource:
|
||
category: process_creation
|
||
product: windows
|
||
detection:
|
||
selection:
|
||
Image:
|
||
- '*\update.exe' # Check if folder Name matches executed binary \\(?P<first>[^\\]*)\\Update.*Start.{2}(?P<second>\1)\.exe (example: https://regex101.com/r/SGSQGz/2)
|
||
CommandLine:
|
||
- '*--processStart*.exe*'
|
||
- '*--processStartAndWait*.exe*'
|
||
- '*–createShortcut*.exe*'
|
||
condition: selection
|
||
|
||
|