SigmaHQ/rules/apt/apt_apt29_tor.yml

---
action: global
title: APT29 Google Update Service Install
description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' 
references:
    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
logsource:
    product: windows
detection:
    service:
        EventID: 7045
        ServiceName: 'Google Update'
    timeframe: 5m
    condition: service | near process
falsepositives:
    - Unknown
level: high
---
# Windows Audit Log
detection:
    process:
        EventID: 4688 
        NewProcessName: 
            - 'C:\Program Files(x86)\Google\GoogleService.exe'
            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
---
# Sysmon
detection:
    process:
        EventID: 1 
        Image: 
            - 'C:\Program Files(x86)\Google\GoogleService.exe'
            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
Missing separator 2018-03-05 10:29:42 +00:00			`---`
Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 21:12:14 +00:00			`action: global`
Rule: APT29 Google Update service install 2017-03-31 17:31:13 +00:00			`title: APT29 Google Update Service Install`
APT 29 - tor / google update service 2017-04-01 08:30:36 +00:00			`description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.'`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html`
Rule: APT29 Google Update service install 2017-03-31 17:31:13 +00:00			`logsource:`
			`product: windows`
			`detection:`
Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 21:12:14 +00:00			`service:`
Rule: APT29 Google Update service install 2017-03-31 17:31:13 +00:00			`EventID: 7045`
			`ServiceName: 'Google Update'`
Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 21:12:14 +00:00			`timeframe: 5m`
			`condition: service \| near process`
			`falsepositives:`
			`- Unknown`
			`level: high`
			`---`
			`# Windows Audit Log`
			`detection:`
			`process:`
APT 29 - tor / google update service 2017-04-01 08:30:36 +00:00			`EventID: 4688`
			`NewProcessName:`
			`- 'C:\Program Files(x86)\Google\GoogleService.exe'`
			`- 'C:\Program Files(x86)\Google\GoogleUpdate.exe'`
Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 21:12:14 +00:00			`---`
			`# Sysmon`
			`detection:`
			`process:`
			`EventID: 1`
			`Image:`
			`- 'C:\Program Files(x86)\Google\GoogleService.exe'`
			`- 'C:\Program Files(x86)\Google\GoogleUpdate.exe'`