Nasreddine Bencherchali
83 lines
2.0 KiB
YAML
83 lines
2.0 KiB
YAML
title: Squirrel Lolbin
|
|
id: fa4b21c9-0057-4493-b289-2556416ae4d7
|
|
status: deprecated
|
|
description: Detects Possible Squirrel Packages Manager as Lolbin
|
|
references:
|
|
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
|
|
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
|
|
author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
|
|
date: 2019/11/12
|
|
modified: 2023/02/14
|
|
tags:
|
|
- attack.execution
|
|
- attack.defense_evasion
|
|
- attack.t1218
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection1:
|
|
Image|endswith: '\update.exe'
|
|
selection2:
|
|
CommandLine|contains:
|
|
- '--processStart'
|
|
- '--processStartAndWait'
|
|
- '--createShortcut'
|
|
filter_discord:
|
|
CommandLine|contains|all:
|
|
- 'C:\Users\'
|
|
- '\AppData\Local\Discord\Update.exe'
|
|
- ' --processStart'
|
|
- 'Discord.exe'
|
|
filter_github_desktop:
|
|
CommandLine|contains|all:
|
|
- 'C:\Users\'
|
|
- '\AppData\Local\GitHubDesktop\Update.exe'
|
|
- 'GitHubDesktop.exe'
|
|
CommandLine|contains:
|
|
- '--createShortcut'
|
|
- '--processStartAndWait'
|
|
filter_teams:
|
|
CommandLine|contains|all:
|
|
- 'C:\Users\'
|
|
- '\AppData\Local\Microsoft\Teams\Update.exe'
|
|
- 'Teams.exe'
|
|
CommandLine|contains:
|
|
- '--processStart'
|
|
- '--createShortcut'
|
|
condition: all of selection* and not 1 of filter_*
|
|
falsepositives:
|
|
- 1Clipboard
|
|
- Beaker Browser
|
|
- Caret
|
|
- Collectie
|
|
- Discord
|
|
- Figma
|
|
- Flow
|
|
- Ghost
|
|
- GitHub Desktop
|
|
- GitKraken
|
|
- Hyper
|
|
- Insomnia
|
|
- JIBO
|
|
- Kap
|
|
- Kitematic
|
|
- Now Desktop
|
|
- Postman
|
|
- PostmanCanary
|
|
- Rambox
|
|
- Simplenote
|
|
- Skype
|
|
- Slack
|
|
- SourceTree
|
|
- Stride
|
|
- Svgsus
|
|
- WebTorrent
|
|
- WhatsApp
|
|
- WordPress.com
|
|
- Atom
|
|
- Gitkraken
|
|
- Slack
|
|
- Teams
|
|
level: medium
|