mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
58 lines
1.4 KiB
YAML
58 lines
1.4 KiB
YAML
title: Squirrel Lolbin
|
|
id: fa4b21c9-0057-4493-b289-2556416ae4d7
|
|
status: experimental
|
|
description: Detects Possible Squirrel Packages Manager as Lolbin
|
|
references:
|
|
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
|
|
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
|
|
tags:
|
|
- attack.execution
|
|
author: Karneades / Markus Neis
|
|
date: 2019/11/12
|
|
falsepositives:
|
|
- 1Clipboard
|
|
- Beaker Browser
|
|
- Caret
|
|
- Collectie
|
|
- Discord
|
|
- Figma
|
|
- Flow
|
|
- Ghost
|
|
- GitHub Desktop
|
|
- GitKraken
|
|
- Hyper
|
|
- Insomnia
|
|
- JIBO
|
|
- Kap
|
|
- Kitematic
|
|
- Now Desktop
|
|
- Postman
|
|
- PostmanCanary
|
|
- Rambox
|
|
- Simplenote
|
|
- Skype
|
|
- Slack
|
|
- SourceTree
|
|
- Stride
|
|
- Svgsus
|
|
- WebTorrent
|
|
- WhatsApp
|
|
- WordPress.com
|
|
- atom
|
|
- gitkraken
|
|
- slack
|
|
- teams
|
|
level: high
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
Image:
|
|
- '*\update.exe' # Check if folder Name matches executed binary \\(?P<first>[^\\]*)\\Update.*Start.{2}(?P<second>\1)\.exe (example: https://regex101.com/r/SGSQGz/2)
|
|
CommandLine:
|
|
- '*--processStart*.exe*'
|
|
- '*--processStartAndWait*.exe*'
|
|
- '*--createShortcut*.exe*'
|
|
condition: selection
|