Create proc_creation_win_wab_execution_from_non_default_location.yml
This commit is contained in:
Nasreddine Bencherchali
+27
@@ -0,0 +1,27 @@
|
||||
title: Wab Execution From Non Default Location
|
||||
id: 395907ee-96e5-4666-af2e-2ca91688e151
|
||||
status: experimental
|
||||
description: Detects execution of wab.exe (Windows Contacts) from non default locations as seen with bumblebee activity
|
||||
references:
|
||||
- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
|
||||
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
|
||||
author: Nasreddine Bencherchali
|
||||
date: 2022/08/12
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.execution
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: '\wab.exe'
|
||||
filter:
|
||||
Image|startswith:
|
||||
- 'C:\Windows\WinSxS\'
|
||||
- 'C:\Program Files\Windows Mail\'
|
||||
- 'C:\Program Files (x86)\Windows Mail\'
|
||||
condition: selection and not filter
|
||||
falsepositives:
|
||||
- Unlikely
|
||||
level: high
|
||||
Reference in New Issue
Block a user