Detection rules › Sigma
Potential Emotet Activity
Detects all Emotet like process executions that are not covered by the more generic rules
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
| Stealth | T1027 Obfuscated Files or Information |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
title: Potential Emotet Activity
id: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18
status: stable
description: Detects all Emotet like process executions that are not covered by the more generic rules
references:
- https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/
- https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/
- https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/
- https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/
author: Florian Roth (Nextron Systems)
date: 2019-09-30
modified: 2023-02-04
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- ' -e* PAA'
- 'JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ' # $env:userprofile
- 'QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA' # $env:userprofile
- 'kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA' # $env:userprofile
- 'IgAoACcAKgAnACkAOwAkA' # "('*');$
- 'IAKAAnACoAJwApADsAJA' # "('*');$
- 'iACgAJwAqACcAKQA7ACQA' # "('*');$
- 'JABGAGwAeAByAGgAYwBmAGQ'
- 'PQAkAGUAbgB2ADoAdABlAG0AcAArACgA' # =$env:temp+(
- '0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA' # =$env:temp+(
- '9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA' # =$env:temp+(
filter:
CommandLine|contains:
- 'fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ'
- 'wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA'
- '8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Stages and Predicates
Stage 0: condition
selection and not filterStage 1: selection
selection:
CommandLine|contains:
- ' -e* PAA'
- 'JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ'
- 'QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA'
- 'kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA'
- 'IgAoACcAKgAnACkAOwAkA'
- 'IAKAAnACoAJwApADsAJA'
- 'iACgAJwAqACcAKQA7ACQA'
- 'JABGAGwAeAByAGgAYwBmAGQ'
- 'PQAkAGUAbgB2ADoAdABlAG0AcAArACgA'
- '0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA'
- '9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA'
Stage 2: not filter
filter:
CommandLine|contains:
- 'fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ'
- 'wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA'
- '8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA'
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
CommandLine | match | 8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA |
CommandLine | match | fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ |
CommandLine | match | wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|