← Back to Explore
sigmamediumHunting
Writing Of Malicious Files To The Fonts Folder
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
Detection Query
selection_1:
CommandLine|contains:
- echo
- copy
- type
- file createnew
- cacls
selection_2:
CommandLine|contains: C:\Windows\Fonts\
selection_3:
CommandLine|contains:
- .sh
- .exe
- .dll
- .bin
- .bat
- .cmd
- .js
- .msh
- .reg
- .scr
- .ps
- .vb
- .jar
- .pl
- ".inf"
- .cpl
- .hta
- .msi
- .vbs
condition: all of selection_*
Author
Sreeman
Created
2020-04-21
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.t1211attack.t1059attack.defense-evasionattack.persistenceattack.execution
Raw Content
title: Writing Of Malicious Files To The Fonts Folder
id: ae9b0bd7-8888-4606-b444-0ed7410cb728
status: test
description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
references:
- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
author: Sreeman
date: 2020-04-21
modified: 2022-03-08
tags:
- attack.t1211
- attack.t1059
- attack.defense-evasion
- attack.persistence
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_1:
CommandLine|contains:
- 'echo'
- 'copy'
- 'type'
- 'file createnew'
- 'cacls'
selection_2:
CommandLine|contains: 'C:\Windows\Fonts\'
selection_3:
CommandLine|contains:
- '.sh'
- '.exe'
- '.dll'
- '.bin'
- '.bat'
- '.cmd'
- '.js'
- '.msh'
- '.reg'
- '.scr'
- '.ps'
- '.vb'
- '.jar'
- '.pl'
- '.inf'
- '.cpl'
- '.hta'
- '.msi'
- '.vbs'
condition: all of selection_*
falsepositives:
- Unknown
level: medium