Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
title: Suspicious Program Names
id: efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6
status: test
description: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: Florian Roth (Nextron Systems)
date: 2022-02-11
modified: 2023-03-22
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_image:
- Image|contains:
- '\CVE-202' # Update this when we reach the year 2100
- '\CVE202' # Update this when we reach the year 2100
- Image|endswith:
- '\poc.exe'
- '\artifact.exe'
- '\artifact64.exe'
- '\artifact_protected.exe'
- '\artifact32.exe'
- '\artifact32big.exe'
- 'obfuscated.exe'
- 'obfusc.exe'
- '\meterpreter'
selection_commandline:
CommandLine|contains:
- 'inject.ps1'
- 'Invoke-CVE'
- 'pupy.ps1'
- 'payload.ps1'
- 'beacon.ps1'
- 'PowerView.ps1'
- 'bypass.ps1'
- 'obfuscated.ps1'
- 'obfusc.ps1'
- 'obfus.ps1'
- 'obfs.ps1'
- 'evil.ps1'
- 'MiniDogz.ps1'
- '_enc.ps1'
- '\shell.ps1'
- '\rshell.ps1'
- 'revshell.ps1'
- '\av.ps1'
- '\av_test.ps1'
- 'adrecon.ps1'
- 'mimikatz.ps1'
- '\PowerUp_'
- 'powerup.ps1'
- '\Temp\a.ps1'
- '\Temp\p.ps1'
- '\Temp\1.ps1'
- 'Hound.ps1'
- 'encode.ps1'
- 'powercat.ps1'
condition: 1 of selection*
falsepositives:
- Legitimate tools that accidentally match on the searched patterns
level: high
imProcessCreate
| where ((TargetProcessName contains "\\CVE-202" or TargetProcessName contains "\\CVE202") or (TargetProcessName endswith "\\poc.exe" or TargetProcessName endswith "\\artifact.exe" or TargetProcessName endswith "\\artifact64.exe" or TargetProcessName endswith "\\artifact_protected.exe" or TargetProcessName endswith "\\artifact32.exe" or TargetProcessName endswith "\\artifact32big.exe" or TargetProcessName endswith "obfuscated.exe" or TargetProcessName endswith "obfusc.exe" or TargetProcessName endswith "\\meterpreter")) or (TargetProcessCommandLine contains "inject.ps1" or TargetProcessCommandLine contains "Invoke-CVE" or TargetProcessCommandLine contains "pupy.ps1" or TargetProcessCommandLine contains "payload.ps1" or TargetProcessCommandLine contains "beacon.ps1" or TargetProcessCommandLine contains "PowerView.ps1" or TargetProcessCommandLine contains "bypass.ps1" or TargetProcessCommandLine contains "obfuscated.ps1" or TargetProcessCommandLine contains "obfusc.ps1" or TargetProcessCommandLine contains "obfus.ps1" or TargetProcessCommandLine contains "obfs.ps1" or TargetProcessCommandLine contains "evil.ps1" or TargetProcessCommandLine contains "MiniDogz.ps1" or TargetProcessCommandLine contains "_enc.ps1" or TargetProcessCommandLine contains "\\shell.ps1" or TargetProcessCommandLine contains "\\rshell.ps1" or TargetProcessCommandLine contains "revshell.ps1" or TargetProcessCommandLine contains "\\av.ps1" or TargetProcessCommandLine contains "\\av_test.ps1" or TargetProcessCommandLine contains "adrecon.ps1" or TargetProcessCommandLine contains "mimikatz.ps1" or TargetProcessCommandLine contains "\\PowerUp_" or TargetProcessCommandLine contains "powerup.ps1" or TargetProcessCommandLine contains "\\Temp\\a.ps1" or TargetProcessCommandLine contains "\\Temp\\p.ps1" or TargetProcessCommandLine contains "\\Temp\\1.ps1" or TargetProcessCommandLine contains "Hound.ps1" or TargetProcessCommandLine contains "encode.ps1" or TargetProcessCommandLine contains "powercat.ps1")| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |