Emerging Threathightest

Formbook Process Creation

Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems), oscd.community, Jonhnathan RibeiroCreated Mon Sep 30Updated Thu Oct 06032f5fb3-d959-41a5-9263-4173c802dc2b2019

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection1:
        # Parent command line should not contain a space value
        # This avoids false positives not caused by process injection
        # e.g. wscript.exe /B sysmon-install.vbs
        ParentCommandLine|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
        ParentCommandLine|endswith: '.exe'
    selection2:
        - CommandLine|contains|all:
              - '/c'
              - 'del'
              - 'C:\Users\'
              - '\AppData\Local\Temp\'
        - CommandLine|contains|all:
              - '/c'
              - 'del'
              - 'C:\Users\'
              - '\Desktop\'
        - CommandLine|contains|all:
              - '/C'
              - 'type nul >'
              - 'C:\Users\'
              - '\Desktop\'
    selection3:
        CommandLine|endswith: '.exe'
    condition: all of selection*