detection.wiki

Detection rules › Sigma

Writing Of Malicious Files To The Fonts Folder

Severity
medium
Author
Sreeman
Source
upstream

Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059 Command and Scripting Interpreter
Defense EvasionT1211 Exploitation for Defense Evasion

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: all of selection_1

or:
CommandLine|contains: cacls
CommandLine|contains: copy
CommandLine|contains: echo
CommandLine|contains: 'file createnew'
CommandLine|contains: type

Stage 2: all of selection_2

CommandLine|contains: 'C:\Windows\Fonts\'

Stage 3: all of selection_3

or:
CommandLine|contains: .bat
CommandLine|contains: .bin
CommandLine|contains: .cmd
CommandLine|contains: .cpl
CommandLine|contains: .dll
CommandLine|contains: .exe
CommandLine|contains: .hta
CommandLine|contains: .inf
CommandLine|contains: .jar
CommandLine|contains: .js
CommandLine|contains: .msh
CommandLine|contains: .msi
CommandLine|contains: .pl
CommandLine|contains: .ps
CommandLine|contains: .reg
CommandLine|contains: .scr
CommandLine|contains: .sh
CommandLine|contains: .vb
CommandLine|contains: .vbs

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • .bat corpus 8 (sigma 8)
  • .bin
  • .cmd corpus 5 (sigma 5)
  • .cpl corpus 4 (sigma 4)
  • .dll corpus 15 (sigma 15)
  • .exe corpus 4 (sigma 4)
  • .hta corpus 5 (sigma 5)
  • .inf corpus 3 (sigma 3)
  • .jar corpus 2 (sigma 2)
  • .js corpus 6 (sigma 6)
  • .msh
  • .msi
  • .pl corpus 2 (sigma 2)
  • .ps corpus 3 (sigma 3)
  • .reg corpus 3 (sigma 3)
  • .scr corpus 5 (sigma 5)
  • .sh corpus 2 (sigma 2)
  • .vb corpus 3 (sigma 3)
  • .vbs corpus 5 (sigma 5)
  • C:\Windows\Fonts\
  • cacls
  • copy corpus 3 (sigma 3)
  • echo corpus 3 (sigma 3)
  • file createnew corpus 2 (sigma 2)
  • type corpus 2 (sigma 2)