Detection rules › Sigma

Potential Devil Bait Related Indicator

Status
test
Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC

Event coverage

ProviderEventTitle
SysmonEvent ID 11FileCreate

Rule body yaml

title: Potential Devil Bait Related Indicator
id: 93d5f1b4-36df-45ed-8680-f66f242b8415
status: test
description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
    - detection.emerging-threats
    - attack.stealth
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\schtasks.exe'
            - '\wscript.exe'
            - '\mshta.exe'
        # Example folders used by the samples include:
        #   - %AppData%\Microsoft\Network\
        #   - %AppData%\Microsoft\Office\
        TargetFilename|contains: '\AppData\Roaming\Microsoft\'
        TargetFilename|endswith:
            - '.txt'
            - '.xml'
    condition: selection
falsepositives:
    - Unlikely
level: high

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    Image|endswith:
        - '\schtasks.exe'
        - '\wscript.exe'
        - '\mshta.exe'
    # Example folders used by the samples include:
    #   - %AppData%\Microsoft\Network\
    #   - %AppData%\Microsoft\Office\
    TargetFilename|contains: '\AppData\Roaming\Microsoft\'
    TargetFilename|endswith:
        - '.txt'
        - '.xml'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \mshta.exe corpus 69 (sigma 69)
  • \schtasks.exe corpus 57 (sigma 57)
  • \wscript.exe corpus 78 (sigma 78)
TargetFilenameends_with
  • .txt corpus 4 (sigma 4)
  • .xml corpus 2 (sigma 2)
TargetFilenamematch
  • \AppData\Roaming\Microsoft\