Techniques
Sample rules
Arbitrary File Download Via Squirrel.EXE
- source: sigma
- technicques:
- t1218
Description
Detects the usage of the “Squirrel.exe” to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Detection logic
condition: all of selection_*
selection_download_cli:
CommandLine|contains:
- ' --download '
- ' --update '
- ' --updateRollback='
selection_download_http_keyword:
CommandLine|contains: http
selection_img:
Image|endswith:
- \squirrel.exe
- \update.exe
Process Proxy Execution Via Squirrel.EXE
- source: sigma
- technicques:
- t1218
Description
Detects the usage of the “Squirrel.exe” binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Detection logic
condition: all of selection_* and not 1 of filter_optional_*
filter_optional_discord:
CommandLine|contains|all:
- :\Users\
- \AppData\Local\Discord\Update.exe
- ' --processStart'
- Discord.exe
filter_optional_github_desktop:
CommandLine|contains:
- --createShortcut
- --processStartAndWait
CommandLine|contains|all:
- :\Users\
- \AppData\Local\GitHubDesktop\Update.exe
- GitHubDesktop.exe
filter_optional_teams:
CommandLine|contains:
- --processStart
- --createShortcut
CommandLine|contains|all:
- :\Users\
- \AppData\Local\Microsoft\Teams\Update.exe
- Teams.exe
filter_optional_yammer:
CommandLine|contains:
- --processStart
- --createShortcut
CommandLine|contains|all:
- :\Users\
- \AppData\Local\yammerdesktop\Update.exe
- Yammer.exe
selection_exec:
CommandLine|contains:
- --processStart
- --processStartAndWait
- --createShortcut
selection_img:
Image|endswith:
- \squirrel.exe
- \update.exe