Processes creating temporary files associated with the PCRE.NET package may indicate the execution of malicious code leveraging this library for persistence or command and control activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversarial use of PCRE.NET for stealthy malware deployment or data exfiltration.
Detection Rule
title: PCRE.NET Package Temp Files
id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da
status: test
description: Detects processes creating temp files related to PCRE.NET package
references:
- https://twitter.com/rbmaslen/status/1321859647091970051
- https://twitter.com/tifkin_/status/1321916444557365248
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-29
modified: 2022-10-09
tags:
- attack.execution
- attack.t1059
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName contains "\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\"Scenario: A developer is using Visual Studio to build a .NET application that references the PCRE.NET package, which generates temporary files during the build process.
Filter/Exclusion: Exclude processes with ImageFileName containing “devenv.exe” or “VisualStudio”.
Scenario: A Windows Update or System Update Readiness task creates temporary files in the PCRE.NET directory as part of a system maintenance process.
Filter/Exclusion: Exclude processes with ImageFileName containing “wusa.exe” or “SystemUpdateReadiness”.
Scenario: A scheduled backup job using Veeam Backup & Replication generates temporary files in the PCRE.NET directory during a backup operation.
Filter/Exclusion: Exclude processes with ImageFileName containing “veeam.exe” or “VeeamBackup”.
Scenario: An admin task using PowerShell to deploy or configure a .NET application with PCRE.NET dependencies creates temporary files during script execution.
Filter/Exclusion: Exclude processes with ImageFileName containing “powershell.exe” and check for command-line arguments indicating administrative tasks.
Scenario: A CI/CD pipeline (e.g., Azure DevOps or Jenkins) runs a build that includes the PCRE.NET package, resulting in temporary file creation.
Filter/Exclusion: Exclude processes with ImageFileName containing “azure-pipelines.exe”, “jenkins.exe”, or “dotnet.exe” with specific command-line flags.