Detectionmediumtest
Potential DLL Injection Or Execution Using Tracker.exe
Detects potential DLL injection and execution using "Tracker.exe"
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Avneet Singh, oscd.communityCreated Sun Oct 18Updated Mon Jan 09148431ce-4b70-403d-8525-fcc2993f29eawindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic4 selectors
detection:
selection_img:
- Image|endswith: '\tracker.exe'
- Description: 'Tracker'
selection_cli:
CommandLine|contains:
- ' /d '
- ' /c '
filter_msbuild1:
CommandLine|contains: ' /ERRORREPORT:PROMPT '
filter_msbuild2:
# Example:
# GrandparentImage: C:\Program Files\Microsoft Visual Studio\2022\Community\Msbuild\Current\Bin\MSBuild.exe
# ParentCommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\MSBuild.exe" /nologo /nodemode:1 /nodeReuse:true /low:false
# CommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Tracker.exe" @"C:\Users\user\AppData\Local\Temp\tmp05c7789bc5534838bf96d7a0fed1ffff.tmp" /c "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.29.30133\bin\HostX86\x64\Lib.exe"
ParentImage|endswith:
- '\Msbuild\Current\Bin\MSBuild.exe'
- '\Msbuild\Current\Bin\amd64\MSBuild.exe'
condition: all of selection_* and not 1 of filter_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Rule Metadata
Rule ID
148431ce-4b70-403d-8525-fcc2993f29ea
Status
test
Level
medium
Type
Detection
Created
Sun Oct 18
Modified
Mon Jan 09
Author
Path
rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml
Raw Tags
attack.privilege-escalationattack.defense-evasionattack.t1055.001