SigmaHQ · frack113 · Jul 30, 2024 · Jul 31, 2024 · Jul 31, 2024 · Jan 26, 2025
diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_winscp_portable.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_winscp_portable.yml
@@ -0,0 +1,25 @@
+title: Winscp Launch From Uncommon Folder
+id: 7674f8ef-7141-4cf0-a311-ee359264c64c
+status: experimental
+description: Use Winscp from an uncommon folder
+references:
+    - https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry
+author: frack113
+date: 2024-07-30
+tags:
+    - attack.exfiltration
+    - attack.t1048
+    - detection.threat-hunting
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|endswith: '\WinSCP.exe'
+        - OriginalFileName: 'winscp.exe'
+    filter:
+        Image|contains: ':\Program Files (x86)\WinSCP\'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_winscp_susp_cli.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_winscp_susp_cli.yml
@@ -0,0 +1,28 @@
+title: Winscp CLI Command To Open FTP Connexion
+id: c1477deb-37cf-4439-9ffb-44499acb89d0
+status: experimental
+description: Use Winscp command cli option to open a connexion
+references:
+    - https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry
+author: frack113
+date: 2024-07-30
+tags:
+    - attack.exfiltration
+    - attack.t1048
+    - detection.threat-hunting
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\WinSCP.exe'
+        - OriginalFileName: 'winscp.exe'
+    selection_cmd:
+        CommandLine|contains|windash: '-command'
+        CommandLine|contains|all:
+            - 'open '
+            - 'ftp://' # cover ftp and sftp
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium