121. Detecting Earth Kasha's ROAMINGMOUSE
Hello everyone!
Reading Trend Micro's report on Earth Kasha, I spotted a curious behavior marker of ROAMINGMOUSE: it abuses WMI to execute JSLNTOOL.EXE via explorer.exe. JSLNTOOL.EXE is a legitimate application used by the adversary to sideload JSFC.dll - a malicious loader.
It means we can hunt for suspicious executions of explorer.exe via wmiprvse.exe:
event_type: "processcreatewin"
AND
proc_file_path: "explorer.exe"
AND
proc_p_file_path: "wmiprvse.exe"
As for JSLNTOOL.EXE, you can also hunt for related execution events, focusing on uncommon locations:
event_type: "processcreatewin"
AND
proc_file_originalfilename: "jslntool.exe"
AND NOT
proc_file_path: "justsystems"
See you tomorrow!
Comments
Post a Comment