rules/windows/process_creation/win_malware_formbook.yml

title: Formbook Process Creation
id: 032f5fb3-d959-41a5-9263-4173c802dc2b
status: test
description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
author: Florian Roth, oscd.community, Jonhnathan Ribeiro
references:
  - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
  - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
  - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
  - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
date: 2019/09/30
modified: 2021/11/27
logsource:
  category: process_creation
  product: windows
detection:
  selection:
        # Parent command line should not contain a space value
        # This avoids false positives not caused by process injection
        # e.g. wscript.exe /B sysmon-install.vbs
    ParentCommandLine|startswith:
      - 'C:\Windows\System32\'
      - 'C:\Windows\SysWOW64\'
    ParentCommandLine|endswith:
      - '.exe'
  selection2:
    - CommandLine|contains|all:
      - '/c'
      - 'del'
      - 'C:\Users\'
      - '\AppData\Local\Temp\'
    - CommandLine|contains|all:
      - '/c'
      - 'del'
      - 'C:\Users\'
      - '\Desktop\'
    - CommandLine|contains|all:
      - '/C'
      - 'type nul >'
      - 'C:\Users\'
      - '\Desktop\'
  selection3:
    CommandLine|endswith: '.exe'
  condition: selection and selection2 and selection3
fields:
  - CommandLine
  - ParentCommandLine
falsepositives:
  - Unknown
level: critical
tags:
  - attack.develop_capabilities
  - attack.t1587.001
rule: formbook malware process creation 2019-09-30 18:57:58 +02:00			`title: Formbook Process Creation`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 032f5fb3-d959-41a5-9263-4173c802dc2b`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
			`description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.`
Update win_malware_formbook.yml 2020-11-27 15:26:15 -03:00			`author: Florian Roth, oscd.community, Jonhnathan Ribeiro`
rule: formbook malware process creation 2019-09-30 18:57:58 +02:00			`references:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer`
			`- https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/`
			`- https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/`
			`- https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/`
			`date: 2019/09/30`
			`modified: 2021/11/27`
rule: formbook malware process creation 2019-09-30 18:57:58 +02:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`category: process_creation`
			`product: windows`
rule: formbook malware process creation 2019-09-30 18:57:58 +02:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection:`
rule: formbook malware process creation 2019-09-30 18:57:58 +02:00			`# Parent command line should not contain a space value`
			`# This avoids false positives not caused by process injection`
			`# e.g. wscript.exe /B sysmon-install.vbs`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`ParentCommandLine\|startswith:`
			`- 'C:\Windows\System32\'`
			`- 'C:\Windows\SysWOW64\'`
			`ParentCommandLine\|endswith:`
			`- '.exe'`
			`selection2:`
			`- CommandLine\|contains\|all:`
			`- '/c'`
			`- 'del'`
			`- 'C:\Users\'`
			`- '\AppData\Local\Temp\'`
			`- CommandLine\|contains\|all:`
			`- '/c'`
			`- 'del'`
			`- 'C:\Users\'`
			`- '\Desktop\'`
			`- CommandLine\|contains\|all:`
			`- '/C'`
			`- 'type nul >'`
			`- 'C:\Users\'`
			`- '\Desktop\'`
			`selection3:`
			`CommandLine\|endswith: '.exe'`
			`condition: selection and selection2 and selection3`
rule: formbook malware process creation 2019-09-30 18:57:58 +02:00			`fields:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- CommandLine`
			`- ParentCommandLine`
rule: formbook malware process creation 2019-09-30 18:57:58 +02:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Unknown`
rule: formbook malware process creation 2019-09-30 18:57:58 +02:00			`level: critical`
$frack113$ add missing tags 2021-09-08 20:14:49 +02:00			`tags:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- attack.develop_capabilities`
			`- attack.t1587.001`