DarkGate - Autoit3.EXE File Creation By Uncommon Process
Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Events for file system activity including creation, modification, and deletion.
detection:
selection:
Image|endswith:
- '\Autoit3.exe'
- '\curl.exe'
- '\ExtExport.exe'
- '\KeyScramblerLogon.exe'
- '\wmprph.exe'
TargetFilename|endswith: '\Autoit3.exe'
condition: selectionFalse positive likelihood has not been assessed. Additional context may be needed during triage.
Other