sigmahighHunting

Suspicious Program Names

Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools

MITRE ATT&CK

execution

Detection Query

selection_image:
  - Image|contains:
      - \CVE-202
      - \CVE202
  - Image|endswith:
      - \poc.exe
      - \artifact.exe
      - \artifact64.exe
      - \artifact_protected.exe
      - \artifact32.exe
      - \artifact32big.exe
      - obfuscated.exe
      - obfusc.exe
      - \meterpreter
selection_commandline:
  CommandLine|contains:
    - inject.ps1
    - Invoke-CVE
    - pupy.ps1
    - payload.ps1
    - beacon.ps1
    - PowerView.ps1
    - bypass.ps1
    - obfuscated.ps1
    - obfusc.ps1
    - obfus.ps1
    - obfs.ps1
    - evil.ps1
    - MiniDogz.ps1
    - _enc.ps1
    - \shell.ps1
    - \rshell.ps1
    - revshell.ps1
    - \av.ps1
    - \av_test.ps1
    - adrecon.ps1
    - mimikatz.ps1
    - \PowerUp_
    - powerup.ps1
    - \Temp\a.ps1
    - \Temp\p.ps1
    - \Temp\1.ps1
    - Hound.ps1
    - encode.ps1
    - powercat.ps1
condition: 1 of selection*

Author

Florian Roth (Nextron Systems)

Created

2022-02-11

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md

Tags

attack.executionattack.t1059

Raw Content

title: Suspicious Program Names
id: efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6
status: test
description: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: Florian Roth (Nextron Systems)
date: 2022-02-11
modified: 2023-03-22
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_image:
        - Image|contains:
              - '\CVE-202' # Update this when we reach the year 2100
              - '\CVE202' # Update this when we reach the year 2100
        - Image|endswith:
              - '\poc.exe'
              - '\artifact.exe'
              - '\artifact64.exe'
              - '\artifact_protected.exe'
              - '\artifact32.exe'
              - '\artifact32big.exe'
              - 'obfuscated.exe'
              - 'obfusc.exe'
              - '\meterpreter'
    selection_commandline:
        CommandLine|contains:
            - 'inject.ps1'
            - 'Invoke-CVE'
            - 'pupy.ps1'
            - 'payload.ps1'
            - 'beacon.ps1'
            - 'PowerView.ps1'
            - 'bypass.ps1'
            - 'obfuscated.ps1'
            - 'obfusc.ps1'
            - 'obfus.ps1'
            - 'obfs.ps1'
            - 'evil.ps1'
            - 'MiniDogz.ps1'
            - '_enc.ps1'
            - '\shell.ps1'
            - '\rshell.ps1'
            - 'revshell.ps1'
            - '\av.ps1'
            - '\av_test.ps1'
            - 'adrecon.ps1'
            - 'mimikatz.ps1'
            - '\PowerUp_'
            - 'powerup.ps1'
            - '\Temp\a.ps1'
            - '\Temp\p.ps1'
            - '\Temp\1.ps1'
            - 'Hound.ps1'
            - 'encode.ps1'
            - 'powercat.ps1'
    condition: 1 of selection*
falsepositives:
    - Legitimate tools that accidentally match on the searched patterns
level: high