SigmaHQ/rules/windows/process_creation/win_apt_gallium.yml

action: global
title: GALLIUM Artefacts
id: 440a56bf-7873-4439-940a-1c8a671073c2
status: experimental
description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
author: Tim Burrell
date: 2020/02/07
references:
    - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
tags:
    - attack.credential_access
    - attack.command_and_control
falsepositives:
    - unknown
level: high
---
logsource:
    product: windows
    category: process_creation
detection:
    exec_selection:
        sha1:
            - '53a44c2396d15c3a03723fa5e5db54cafd527635'
            - '9c5e496921e3bc882dc40694f1dcc3746a75db19'
            - 'aeb573accfd95758550cf30bf04f389a92922844'
            - '79ef78a797403a4ed1a616c68e07fff868a8650a'
            - '4f6f38b4cec35e895d91c052b1f5a83d665c2196'
            - '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d'
            - 'e841a63e47361a572db9a7334af459ddca11347a'
            - 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d'
            - '2e94b305d6812a9f96e6781c888e48c7fb157b6b'
            - 'dd44133716b8a241957b912fa6a02efde3ce3025'
            - '8793bf166cb89eb55f0593404e4e933ab605e803'
            - 'a39b57032dbb2335499a51e13470a7cd5d86b138'
            - '41cc2b15c662bc001c0eb92f6cc222934f0beeea'
            - 'd209430d6af54792371174e70e27dd11d3def7a7'
            - '1c6452026c56efd2c94cea7e0f671eb55515edb0'
            - 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a'
            - '4923d460e22fbbf165bbbaba168e5a46b8157d9f'
            - 'f201504bd96e81d0d350c3a8332593ee1c9e09de'
            - 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2'
    condition: exec_selection
---
logsource:
    product: windows
    service: dns-server
detection:
    c2_selection:
        EventID: 257
        QNAME: 
            - 'asyspy256.ddns.net'
            - 'hotkillmail9sddcc.ddns.net'
            - 'rosaf112.ddns.net'
            - 'cvdfhjh1231.myftp.biz'
            - 'sz2016rose.ddns.net'
            - 'dffwescwer4325.myftp.biz'
            - 'cvdfhjh1231.ddns.net'
    condition: c2_selection
---
logsource:
    product: windows
    category: process_creation
detection:
    legitimate_process_path:
        Image|contains:
            - ':\Program Files(x86)\'
            - ':\Program Files\'
    legitimate_executable:
        sha1:
            - 'e570585edc69f9074cb5e8a790708336bd45ca0f'
    condition: legitimate_executable and not legitimate_process_path
Sigma queries for -- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging) -- GALLIUM threat intel IOCs in recent MSTIC blog/release. 2020-01-02 14:47:55 +00:00			`action: global`
fix: fixed casing and long rule titles 2020-01-30 16:26:09 +00:00			`title: GALLIUM Artefacts`
fixup - unique rule id; use process_creation instead of sysmon EventID:1 2020-01-02 20:05:28 +00:00			`id: 440a56bf-7873-4439-940a-1c8a671073c2`
Sigma queries for -- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging) -- GALLIUM threat intel IOCs in recent MSTIC blog/release. 2020-01-02 14:47:55 +00:00			`status: experimental`
			`description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.`
			`author: Tim Burrell`
additional gallium ttp sha1 process creation only makes sense for sysmon 2020-02-07 14:08:40 +00:00			`date: 2020/02/07`
Sigma queries for -- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging) -- GALLIUM threat intel IOCs in recent MSTIC blog/release. 2020-01-02 14:47:55 +00:00			`references:`
			`- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/`
			`- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)`
			`tags:`
			`- attack.credential_access`
			`- attack.command_and_control`
			`falsepositives:`
			`- unknown`
			`level: high`
			`---`
			`logsource:`
logsource change I've swapped the lines in the logsource section to make it clearer that the category "process_creation" covers all sources that generate process creation logs on the windows platform. 2020-02-07 14:47:27 +00:00			`product: windows`
fixup - unique rule id; use process_creation instead of sysmon EventID:1 2020-01-02 20:05:28 +00:00			`category: process_creation`
Sigma queries for -- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging) -- GALLIUM threat intel IOCs in recent MSTIC blog/release. 2020-01-02 14:47:55 +00:00			`detection:`
			`exec_selection:`
fix: changed hashes field to sha1 for better consistency 2020-01-29 18:52:24 +00:00			`sha1:`
			`- '53a44c2396d15c3a03723fa5e5db54cafd527635'`
			`- '9c5e496921e3bc882dc40694f1dcc3746a75db19'`
			`- 'aeb573accfd95758550cf30bf04f389a92922844'`
			`- '79ef78a797403a4ed1a616c68e07fff868a8650a'`
			`- '4f6f38b4cec35e895d91c052b1f5a83d665c2196'`
			`- '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d'`
			`- 'e841a63e47361a572db9a7334af459ddca11347a'`
			`- 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d'`
			`- '2e94b305d6812a9f96e6781c888e48c7fb157b6b'`
			`- 'dd44133716b8a241957b912fa6a02efde3ce3025'`
			`- '8793bf166cb89eb55f0593404e4e933ab605e803'`
			`- 'a39b57032dbb2335499a51e13470a7cd5d86b138'`
			`- '41cc2b15c662bc001c0eb92f6cc222934f0beeea'`
			`- 'd209430d6af54792371174e70e27dd11d3def7a7'`
			`- '1c6452026c56efd2c94cea7e0f671eb55515edb0'`
			`- 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a'`
			`- '4923d460e22fbbf165bbbaba168e5a46b8157d9f'`
			`- 'f201504bd96e81d0d350c3a8332593ee1c9e09de'`
			`- 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2'`
Sigma queries for -- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging) -- GALLIUM threat intel IOCs in recent MSTIC blog/release. 2020-01-02 14:47:55 +00:00			`condition: exec_selection`
			`---`
			`logsource:`
			`product: windows`
			`service: dns-server`
			`detection:`
			`c2_selection:`
			`EventID: 257`
additional gallium ttp sha1 process creation only makes sense for sysmon 2020-02-07 14:08:40 +00:00			`QNAME:`
Sigma queries for -- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging) -- GALLIUM threat intel IOCs in recent MSTIC blog/release. 2020-01-02 14:47:55 +00:00			`- 'asyspy256.ddns.net'`
			`- 'hotkillmail9sddcc.ddns.net'`
			`- 'rosaf112.ddns.net'`
			`- 'cvdfhjh1231.myftp.biz'`
			`- 'sz2016rose.ddns.net'`
			`- 'dffwescwer4325.myftp.biz'`
			`- 'cvdfhjh1231.ddns.net'`
			`condition: c2_selection`
additional gallium ttp sha1 process creation only makes sense for sysmon 2020-02-07 14:08:40 +00:00			`---`
			`logsource:`
logsource change I've swapped the lines in the logsource section to make it clearer that the category "process_creation" covers all sources that generate process creation logs on the windows platform. 2020-02-07 14:47:27 +00:00			`product: windows`
additional gallium ttp sha1 process creation only makes sense for sysmon 2020-02-07 14:08:40 +00:00			`category: process_creation`
			`detection:`
			`legitimate_process_path:`
			`Image\|contains:`
			`- ':\Program Files(x86)\'`
			`- ':\Program Files\'`
			`legitimate_executable:`
			`sha1:`
			`- 'e570585edc69f9074cb5e8a790708336bd45ca0f'`
			`condition: legitimate_executable and not legitimate_process_path`