From 66cbdbfff59bcaa49194cfcd18fd24b08064475e Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Mon, 30 Sep 2019 15:53:23 +0200
Subject: [PATCH] rule: emotet process creation

---
 .../process_creation/win_malware_emotet.yml   | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 rules/windows/process_creation/win_malware_emotet.yml

diff --git a/rules/windows/process_creation/win_malware_emotet.yml b/rules/windows/process_creation/win_malware_emotet.yml
new file mode 100644
index 000000000..75eb62055
--- /dev/null
+++ b/rules/windows/process_creation/win_malware_emotet.yml
@@ -0,0 +1,22 @@
+title: Emotet Process Creation
+status: experimental
+description: Detects all Emotet like process executions that are not covered by the more generic rules
+author: Florian Roth
+date: 2019/09/30
+references:
+    - https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/
+    - https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine:
+            - '* -enco PAA*'
+    condition: 1 of them
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unlikely
+level: critical