SigmaHQ/rules/windows/process_creation/win_malware_formbook.yml
2020-11-27 15:26:15 -03:00

52 lines
1.8 KiB
YAML

title: Formbook Process Creation
id: 032f5fb3-d959-41a5-9263-4173c802dc2b
status: experimental
description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to
delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
author: Florian Roth, oscd.community, Jonhnathan Ribeiro
date: 2019/09/30
modified: 2019/10/31
references:
- https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
- https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
- https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
- https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
logsource:
category: process_creation
product: windows
detection:
selection:
# Parent command line should not contain a space value
# This avoids false positives not caused by process injection
# e.g. wscript.exe /B sysmon-install.vbs
ParentCommandLine|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
ParentCommandLine|endswith:
- '.exe'
selection2:
- CommandLine|contains|all:
- '/c'
- 'del'
- 'C:\Users\'
- '\AppData\Local\Temp\'
- CommandLine|contains|all:
- '/c'
- 'del'
- 'C:\Users\'
- '\Desktop\'
- CommandLine|contains|all:
- '/C'
- 'type nul >'
- 'C:\Users\'
- '\Desktop\'
selection3:
CommandLine|endswith: '.exe'
condition: selection and selection2 and selection3
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: critical