Processes loading modules associated with the PCRE.NET package may indicate the execution of malicious code leveraging this library for persistence or command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversary activity that could lead to data exfiltration or system compromise.
Detection Rule
title: PCRE.NET Package Image Load
id: 84b0a8f3-680b-4096-a45b-e9a89221727c
status: test
description: Detects processes loading modules related to PCRE.NET package
references:
- https://twitter.com/rbmaslen/status/1321859647091970051
- https://twitter.com/tifkin_/status/1321916444557365248
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-29
modified: 2022-10-09
tags:
- attack.execution
- attack.t1059
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
condition: selection
falsepositives:
- Unknown
level: high
DeviceImageLoadEvents
| where FolderPath contains "\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\"Scenario: Development Environment Using PCRE.NET for Regex Testing
Description: A developer is using a tool like RegexBuddy or Notepad++ with PCRE.NET plugin to test regular expressions.
Filter/Exclusion: Check for processes running from a known development directory (e.g., C:\Dev\Tools\) or filter by user (e.g., User = dev-team).
Scenario: Scheduled Job for Log Parsing with PCRE.NET
Description: A PowerShell scheduled task is parsing log files using a script that loads PCRE.NET for pattern matching.
Filter/Exclusion: Filter by process name (e.g., powershell.exe) and check for scheduled task context (e.g., TaskName = LogParseJob).
Scenario: System Update or Patch Installation
Description: A Windows Update or Microsoft Endpoint Manager (MEM) patching tool is loading PCRE.NET as part of a package installation.
Filter/Exclusion: Check for processes associated with update services (e.g., wuauserv, msiexec.exe) or filter by parent process (e.g., svchost.exe).
Scenario: Admin Task Using PCRE.NET for Data Validation
Description: An admin task (e.g., via Task Scheduler) is validating data formats using PCRE.NET, such as in a custom script or application.
Filter/Exclusion: Filter by user (e.g., User = admin) and check for task scheduler context (e.g., TaskName = DataValidationTask).
Scenario: Integration with Third-Party Application Using PCRE.NET
Description: A third-party application (e.g., Splunk, ELK Stack, or Logstash) is using