title: Suspicious Program Names
id: efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6
status: experimental
description: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
author: Florian Roth
date: 2022/02/11
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
logsource:
    category: process_creation
    product: windows
detection:
   selection_image:
      - Image|contains:
         '\CVE-202'
      - Image|endswith:
         - '\poc.exe'
         - '\artifact.exe'
         - '\artifact64.exe'
         - '\artifact_protected.exe'
         - '\artifact32.exe'
         - '\artifact32big.exe'
         - 'obfuscated.exe'
         - 'obfusc.exe'
         - '\meterpreter'
   selection_commandline:
      CommandLine|contains:
         - 'inject.ps1'
         - 'Invoke-CVE'
         - 'pupy.ps1'
         - 'payload.ps1'
         - 'beacon.ps1'
         - 'PowerView.ps1'
         - 'bypass.ps1'
         - 'obfuscated.ps1'
         - 'obfusc.ps1'
         - 'obfus.ps1'
         - 'obfs.ps1'
         - 'evil.ps1'
         - 'MiniDogz.ps1'
         - '_enc.ps1'
         - '\shell.ps1'
         - '\rshell.ps1'
         - 'revshell.ps1'
         - '\av.ps1'
         - '\av_test.ps1'
         - 'adrecon.ps1'
         - 'mimikatz.ps1'
         - '\PowerUp_'
         - 'powerup.ps1'
         - '\Temp\a.ps1'
         - '\Temp\p.ps1'
         - '\Temp\1.ps1'
         - 'Hound.ps1'
         - 'encode.ps1'
         - 'powercat.ps1'
   condition: 1 of selection*
falsepositives:
    - Legitimate tools that accidentally match on the searched patterns
level: high
fields:
    - CommandLine
    - ParentCommandLine
    - CurrentDirectory