← Back to Explore
sigmamediumHunting
Renamed BOINC Client Execution
Detects the execution of a renamed BOINC binary.
Detection Query
selection:
OriginalFileName: BOINC.exe
filter_main_legit_name:
Image|endswith: \BOINC.exe
condition: selection and not 1 of filter_main_*
Author
Matt Anderson (Huntress)
Created
2024-07-23
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1553
Raw Content
title: Renamed BOINC Client Execution
id: 30d07da2-83ab-45d8-ae75-ec7c0edcaffc
status: test
description: Detects the execution of a renamed BOINC binary.
references:
- https://boinc.berkeley.edu/
- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details
- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Matt Anderson (Huntress)
date: 2024-07-23
tags:
- attack.defense-evasion
- attack.t1553
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'BOINC.exe'
filter_main_legit_name:
Image|endswith: '\BOINC.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium