Nasreddine Bencherchali
51 lines
1.6 KiB
YAML
51 lines
1.6 KiB
YAML
title: Potential Dridex Activity
|
|
id: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e
|
|
status: stable
|
|
description: Detects potential Dridex acitvity via specific process patterns
|
|
references:
|
|
- https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
|
|
- https://redcanary.com/threat-detection-report/threats/dridex/
|
|
author: Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)
|
|
date: 2019/01/10
|
|
modified: 2023/02/03
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.privilege_escalation
|
|
- attack.t1055
|
|
- attack.discovery
|
|
- attack.t1135
|
|
- attack.t1033
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_svchost:
|
|
Image|endswith: '\svchost.exe'
|
|
CommandLine|contains|all:
|
|
- 'C:\Users\'
|
|
- '\Desktop\'
|
|
filter_svchost:
|
|
ParentImage|startswith: 'C:\Windows\System32\'
|
|
selection_regsvr:
|
|
ParentImage|endswith: '\excel.exe'
|
|
Image|endswith: '\regsvr32.exe'
|
|
CommandLine|contains:
|
|
- ' -s '
|
|
- '\AppData\Local\Temp\'
|
|
filter_regsvr:
|
|
CommandLine|contains: '.dll'
|
|
selection_anomaly_parent:
|
|
ParentImage|endswith: '\svchost.exe'
|
|
selection_anomaly_child_1:
|
|
Image|endswith: '\whoami.exe'
|
|
CommandLine|contains: ' /all'
|
|
selection_anomaly_child_2:
|
|
Image|endswith:
|
|
- '\net.exe'
|
|
- '\net1.exe'
|
|
CommandLine|contains: ' view'
|
|
condition: (selection_svchost and not filter_svchost) or (selection_regsvr and not filter_regsvr) or (selection_anomaly_parent and 1 of selection_anomaly_child_*)
|
|
falsepositives:
|
|
- Unlikely
|
|
level: critical
|