Sigma rules for Bumblebee
3 rules · scoped to tool · back to Bumblebee
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Wab/Wabmig Unusual Parent Or Child Processes
id: 63d1ccc0-2a43-4f4b-9289-361b308991ff
status: test
description: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
references:
- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
- https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2022-09-27
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Add more if known
- \WmiPrvSE.exe
- \svchost.exe
- \dllhost.exe
Image|endswith:
- '\wab.exe'
- '\wabmig.exe' # (Microsoft Address Book Import Tool)
selection_child:
# You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy
ParentImage|endswith:
- '\wab.exe'
- '\wabmig.exe' # (Microsoft Address Book Import Tool)
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: Wab Execution From Non Default Location
id: 395907ee-96e5-4666-af2e-2ca91688e151
status: test
description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
references:
- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
- https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2022-09-27
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\wab.exe'
- '\wabmig.exe'
filter:
Image|startswith:
- 'C:\Windows\WinSxS\'
- 'C:\Program Files\Windows Mail\'
- 'C:\Program Files (x86)\Windows Mail\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: ImagingDevices Unusual Parent/Child Processes
id: f11f2808-adb4-46c0-802a-8660db50fa99
status: test
description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
references:
- https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-27
modified: 2022-12-29
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Add more if known
- \WmiPrvSE.exe
- \svchost.exe
- \dllhost.exe
Image|endswith: '\ImagingDevices.exe'
selection_child:
# You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy
ParentImage|endswith: '\ImagingDevices.exe'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high