Threat Huntinformationaltest

Potential BOINC Software Execution (UC-Berkeley Signature)

Detects the use of software that is related to the University of California, Berkeley via metadata information. This indicates it may be related to BOINC software and can be used maliciously if unauthorized.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Matt Anderson (Huntress)Created Tue Jul 230090b851-3543-42db-828c-02fee986ff0bwindows

Hunting Hypothesis

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Description: 'University of California, Berkeley'
    condition: selection

False Positives

This software can be used for legitimate purposes when installed intentionally.

References

MITRE ATT&CK

Tactics

TA0002 · Execution TA0005 · Defense Evasion

Techniques

T1553 · Subvert Trust Controls

Other

detection.threat-hunting

Rule Metadata

Rule ID

0090b851-3543-42db-828c-02fee986ff0b

Status

test

Level

informational

Type

Threat Hunt

Created

Tue Jul 23

Author

Matt Anderson (Huntress)

Path

rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml

Raw Tags

attack.executionattack.defense-evasionattack.t1553detection.threat-hunting

View on GitHub