From 3ac28f3eedfabbafcf5ef6d47c725cf694bf37be Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Wed, 30 Oct 2019 15:15:57 +0100
Subject: [PATCH] rule: DTRACK process creation

---
 .../process_creation/win_malware_dtrack.yml   | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 rules/windows/process_creation/win_malware_dtrack.yml

diff --git a/rules/windows/process_creation/win_malware_dtrack.yml b/rules/windows/process_creation/win_malware_dtrack.yml
new file mode 100644
index 000000000..3b532a1d2
--- /dev/null
+++ b/rules/windows/process_creation/win_malware_dtrack.yml
@@ -0,0 +1,21 @@
+title: DTRACK Process Creation
+status: experimental
+description: Detects specific process parameters as seen in DTRACK infections
+author: Florian Roth
+date: 2019/10/30
+references:
+    - https://securelist.com/my-name-is-dtrack/93338/
+    - https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine: '* echo EEEE > *'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unlikely
+level: critical