Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
34 lines (33 sloc) 1.38 KB
title: Formbook Process Creation
status: experimental
description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
author: Florian Roth
date: 2019/09/30
modified: 2019/10/31
references:
- https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
- https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
- https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
- https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
logsource:
category: process_creation
product: windows
detection:
selection:
# Parent command line should not contain a space value
# This avoids false positives not caused by process injection
# e.g. wscript.exe /B sysmon-install.vbs
ParentCommandLine:
- 'C:\Windows\System32\\*.exe'
- 'C:\Windows\SysWOW64\\*.exe'
CommandLine:
- '* /c del "C:\Users\\*\AppData\Local\Temp\\*.exe'
- '* /c del "C:\Users\\*\Desktop\\*.exe'
- '* /C type nul > "C:\Users\\*\Desktop\\*.exe'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: critical
You can’t perform that action at this time.