Suspicious Program Names

Title: Suspicious Program Names
Status: test
Description:Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
References:
  -https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
Author: Florian Roth (Nextron Systems)
Date: 2022-02-11
modified:2023-03-22
Tags:

• -'attack.execution'
• -'attack.t1059'

Logsource:

• category: process_creation
• product: windows

Detection:
  selection_image:
    - Image|contains:
      - '\CVE-202'
      - '\CVE202'
    - Image|endswith:
      - '\poc.exe'
      - '\artifact.exe'
      - '\artifact64.exe'
      - '\artifact_protected.exe'
      - '\artifact32.exe'
      - '\artifact32big.exe'
      - 'obfuscated.exe'
      - 'obfusc.exe'
      - '\meterpreter'
  selection_commandline:
    CommandLine|contains:
      -'inject.ps1'
      -'Invoke-CVE'
      -'pupy.ps1'
      -'payload.ps1'
      -'beacon.ps1'
      -'PowerView.ps1'
      -'bypass.ps1'
      -'obfuscated.ps1'
      -'obfusc.ps1'
      -'obfus.ps1'
      -'obfs.ps1'
      -'evil.ps1'
      -'MiniDogz.ps1'
      -'_enc.ps1'
      -'\shell.ps1'
      -'\rshell.ps1'
      -'revshell.ps1'
      -'\av.ps1'
      -'\av_test.ps1'
      -'adrecon.ps1'
      -'mimikatz.ps1'
      -'\PowerUp_'
      -'powerup.ps1'
      -'\Temp\a.ps1'
      -'\Temp\p.ps1'
      -'\Temp\1.ps1'
      -'Hound.ps1'
      -'encode.ps1'
      -'powercat.ps1'

  condition:1 of selection*
Falsepositives:
  -Legitimate tools that accidentally match on the searched patterns
Level: high