frack113
65 lines
1.7 KiB
YAML
65 lines
1.7 KiB
YAML
title: Suspicious Program Names
|
|
id: efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6
|
|
status: experimental
|
|
description: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
|
|
author: Florian Roth
|
|
date: 2022/02/11
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_image:
|
|
- Image|contains:
|
|
'\CVE-202'
|
|
- Image|endswith:
|
|
- '\poc.exe'
|
|
- '\artifact.exe'
|
|
- '\artifact64.exe'
|
|
- '\artifact_protected.exe'
|
|
- '\artifact32.exe'
|
|
- '\artifact32big.exe'
|
|
- 'obfuscated.exe'
|
|
- 'obfusc.exe'
|
|
- '\meterpreter'
|
|
selection_commandline:
|
|
CommandLine|contains:
|
|
- 'inject.ps1'
|
|
- 'Invoke-CVE'
|
|
- 'pupy.ps1'
|
|
- 'payload.ps1'
|
|
- 'beacon.ps1'
|
|
- 'PowerView.ps1'
|
|
- 'bypass.ps1'
|
|
- 'obfuscated.ps1'
|
|
- 'obfusc.ps1'
|
|
- 'obfus.ps1'
|
|
- 'obfs.ps1'
|
|
- 'evil.ps1'
|
|
- 'MiniDogz.ps1'
|
|
- '_enc.ps1'
|
|
- '\shell.ps1'
|
|
- '\rshell.ps1'
|
|
- 'revshell.ps1'
|
|
- '\av.ps1'
|
|
- '\av_test.ps1'
|
|
- 'adrecon.ps1'
|
|
- 'mimikatz.ps1'
|
|
- '\PowerUp_'
|
|
- 'powerup.ps1'
|
|
- '\Temp\a.ps1'
|
|
- '\Temp\p.ps1'
|
|
- '\Temp\1.ps1'
|
|
- 'Hound.ps1'
|
|
- 'encode.ps1'
|
|
- 'powercat.ps1'
|
|
condition: 1 of selection*
|
|
falsepositives:
|
|
- Legitimate tools that accidentally match on the searched patterns
|
|
level: high
|
|
fields:
|
|
- CommandLine
|
|
- ParentCommandLine
|
|
- CurrentDirectory
|