rules/windows/process_creation/proc_creation_win_mouse_lock.yml

title: Mouse Lock Credential Gathering
id: c9192ad9-75e5-43eb-8647-82a0a5b493e3
status: test
description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
author: Cian Heasley
references:
  - https://github.com/klsecservices/Publications/blob/master/Incident-Response-Analyst-Report-2020.pdf
  - https://sourceforge.net/projects/mouselock/
date: 2020/08/13
modified: 2021/11/27
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    - Product|contains: 'Mouse Lock'
    - Company|contains: 'Misc314'
    - CommandLine|contains: 'Mouse Lock_'
  condition: selection
fields:
  - Product
  - Company
  - CommandLine
falsepositives:
  - Legitimate uses of Mouse Lock software
level: medium
tags:
  - attack.credential_access
  - attack.collection
  - attack.t1056.002
win_mouse_lock.yml 2020-08-13 12:09:07 +01:00			`title: Mouse Lock Credential Gathering`
			`id: c9192ad9-75e5-43eb-8647-82a0a5b493e3`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
win_mouse_lock.yml 2020-08-13 12:09:07 +01:00			`description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.`
			`author: Cian Heasley`
fix reference field + add test for references in plural form 2020-11-27 10:17:45 +01:00			`references:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- https://github.com/klsecservices/Publications/blob/master/Incident-Response-Analyst-Report-2020.pdf`
			`- https://sourceforge.net/projects/mouselock/`
win_mouse_lock.yml 2020-08-13 12:09:07 +01:00			`date: 2020/08/13`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`modified: 2021/11/27`
win_mouse_lock.yml 2020-08-13 12:09:07 +01:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`product: windows`
			`category: process_creation`
win_mouse_lock.yml 2020-08-13 12:09:07 +01:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection:`
			`- Product\|contains: 'Mouse Lock'`
			`- Company\|contains: 'Misc314'`
			`- CommandLine\|contains: 'Mouse Lock_'`
			`condition: selection`
win_mouse_lock.yml 2020-08-13 12:09:07 +01:00			`fields:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Product`
			`- Company`
			`- CommandLine`
win_mouse_lock.yml 2020-08-13 12:09:07 +01:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Legitimate uses of Mouse Lock software`
win_mouse_lock.yml 2020-08-13 12:09:07 +01:00			`level: medium`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`tags:`
			`- attack.credential_access`
			`- attack.collection`
			`- attack.t1056.002`