Arbitrary File Download Via Squirrel.EXE
Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_img:
Image|endswith:
- '\squirrel.exe'
- '\update.exe'
selection_download_cli:
CommandLine|contains:
- ' --download '
- ' --update '
- ' --updateRollback='
selection_download_http_keyword:
CommandLine|contains: 'http'
condition: all of selection_*Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)
Process Proxy Execution Via Squirrel.EXE
Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Detects similar activity. Both rules may fire on overlapping events.
fa4b21c9-0057-4493-b289-2556416ae4d7