Merge PR #4784 from @tomaszdyduch - Add new DarkGate activity related…

… rule new: DarkGate - Drop DarkGate Loader In C:\Temp Directory --------- Co-authored-by: nasbench <[email protected]>
SigmaHQ · May 31, 2024 · 48f2d09 · 48f2d09
1 parent 2bf502f
commit 48f2d09
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/...rging-threats/2024/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_save_temp.yml b/...rging-threats/2024/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_save_temp.yml
@@ -0,0 +1,30 @@
+title: DarkGate - Drop DarkGate Loader In C:\Temp Directory
+id: df49c691-8026-48dd-94d3-4ba6a79102a8
+status: experimental
+description: Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
+references:
+    - https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/
+    - https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html
+author: Tomasz Dyduch, Josh Nickels
+date: 2024/05/31
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection_filename_suffix:
+        TargetFilename|contains: ':\temp\'
+        TargetFilename|endswith:
+            - '.au3'
+            - '\autoit3.exe'
+    selection_image_suffix:
+        Image|contains: ':\temp\'
+        Image|endswith:
+            - '.au3'
+            - '\autoit3.exe'
+    condition: 1 of selection_*
+falsepositives:
+    - Unlikely legitimate usage of AutoIT in temp folders.
+level: medium