legitimate usage of deno to request a file or bring a dll to a host

t1059
t1059.007
t1105
t1204
windows
sigma

Techniques

t1059
t1059.007
t1105
t1204

Sample rules

Suspicious Deno File Written from Remote Source

source: sigma
technicques:
- t1059
- t1059.007
- t1105
- t1204

Description

Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it’s own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.

Detection logic

condition: selection_path
selection_path:
  TargetFilename|contains:
  - \deno\gen\
  - \deno\remote\https\
  TargetFilename|contains|all:
  - :\Users\
  - \AppData\