title: DTRACK Process Creation
id: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4
status: stable
description: Detects specific process parameters as seen in DTRACK infections
author: Florian Roth
references:
  - https://securelist.com/my-name-is-dtrack/93338/
  - https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/
  - https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/
date: 2019/10/30
modified: 2021/11/27
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains: ' echo EEEE > '
  condition: selection
fields:
  - CommandLine
  - ParentCommandLine
falsepositives:
  - Unlikely
level: critical
tags:
  - attack.impact
  - attack.t1490