valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
0fbfcc6ba9
SigmaHQ/rules/windows/builtin/win_apt_stonedrill.yml

25 lines
698 B
YAML
Raw Normal View History

Rule: APT StoneDrill Service Install
2017-03-07 08:24:06 +00:00
title: StoneDrill Service Install
Added UUIDs to rules
2019-11-12 22:12:27 +00:00
id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
Rule: APT StoneDrill Service Install
2017-03-07 08:24:06 +00:00
author: Florian Roth
fix: fixed missing date fields in other files
2020-01-30 14:32:39 +00:00
date: 2017/03/07
Change All "str" references to be "list"to mach schema update
2018-01-27 23:24:16 +00:00
references:
- https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
Add tags to APT rules
2018-07-25 07:50:01 +00:00
tags:
- attack.persistence
- attack.g0064
- attack.t1050
Initial round of subtechnique updates
2020-06-16 20:46:08 +00:00
- attack.t1543.003
Rule: APT StoneDrill Service Install
2017-03-07 08:24:06 +00:00
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
Improved StoneDrill Rule
2017-03-31 17:25:10 +00:00
ServiceName: NtsSrv
ServiceFileName: '* LocalService'
condition: selection
Rule: APT StoneDrill Service Install
2017-03-07 08:24:06 +00:00
falsepositives:
- Unlikely
level: high
Reference in New Issue Copy Permalink