Date: 09/20/2024
Severity: High
Summary
Identifies the Emotet Epoch4 loader, as reported by @malware_traffic in 2022. The ".lnk" file was distributed through a phishing campaign.
Indicators of Compromise (IOC) List
ParentImage | '\cmd.exe' '\explorer.exe' '\powershell.exe' |
CommandLine | 'findstr' '.vbs' '.lnk' |
Image | '\cmd.exe' '\powershell.exe' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (resourcename = "Windows Security" AND eventtype = "4688" ) AND processname In ("\cmd.exe","\explorer.exe","\powershell.exe" ) AND message In ("findstr",".vbs",".lnk") |
Detection Query 2 | technologygroup = "EDR" AND processname In ("\cmd.exe","\explorer.exe","\powershell.exe" ) AND message In ("findstr",".vbs",".lnk") |
Detection Query 3 | (resourcename = "Sysmon" AND eventtype = "1" ) AND image In ("\cmd.exe","\explorer.exe","\powershell.exe" ) AND commandline In ("findstr",".vbs",".lnk") |
Detection Query 4 | technologygroup = "EDR" AND image In ("\cmd.exe","\explorer.exe","\powershell.exe" ) AND commandline In ("findstr",".vbs",".lnk") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2022/Malware/Emotet/proc_creation_win_malware_emotet_loader_execution.yml