Detection Content: Finding Ursnif Trojan Activity

The ‘Process Injection by Ursnif (Dreambot Malware)’ exclusive rule by Emir Erdogan is released on Threat Detection Marketplace: 

Ursnif banking Trojan has been used by adversaries in various modifications for about 13 years, constantly gaining new features and acquiring new tricks to avoid security solutions. Its source code was leaked in 2014, and since then Ursnif often winds up in Top 10 Malware charts, and various modifications of the Trojan are used worldwide to steal sensitive banking information and credentials on the infected system. This rule allows your solution to detect Ursnif when it injects itself into the rogue process. Detecting the Trojan at an early stage will prevent data theft and determine credentials that could be compromised.

Emir Erdogan is one of the most active participants of the SOC Prime Threat Bounty Developer program. Starting from September 2019, he published 100+ community and exclusive rules that got the attention of the TDM users due to the high content quality and security relevance.


SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint

EDR: Windows Defender ATP, Carbon Black, Elastic Endpoint



Tactics: Execution, Credential Access, Defense Evasion, Privilege Escalation

Techniques: Command-Line Interface (T1059), Credentials in Files (T1081), Process Injection (T1055), Rundll32 (T1085)

You can explore other tactics used by Ursnif banking Trojan in the MITRE ATT&CK® section at Threat Detection Marketplace:

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts