SigmaHQ/rules/windows/process_creation/win_apt_unidentified_nov_18.yml

action: global
title: Unidentified Attacker November 2018
id: 7453575c-a747-40b9-839b-125a0aae324b
status: stable
description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with
    YYTRIUM/APT29 campaign in 2016.
references:
    - https://twitter.com/DrunkBinary/status/1063075530180886529
author: '@41thexplorer, Microsoft Defender ATP'
date: 2018/11/20
modified: 2018/12/11
tags:
    - attack.execution
    - attack.t1085
detection:
    condition: 1 of them
level: high
---
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine: '*cyzfc.dat, PointFunctionCall'
---
# Sysmon: File Creation (ID 11)
logsource:
    product: windows
    service: sysmon
detection:
    selection2:
        EventID: 11
        TargetFilename: 
            - '*ds7002.lnk*'
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`action: global`
			`title: Unidentified Attacker November 2018`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 7453575c-a747-40b9-839b-125a0aae324b`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`status: stable`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with`
			`YYTRIUM/APT29 campaign in 2016.`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`references:`
			`- https://twitter.com/DrunkBinary/status/1063075530180886529`
MDATP schema changes WDATP was renamed to MDATP (Microsoft Defendre ATP). MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914 The updates reflect these changes 2020-03-09 16:12:41 +00:00			`author: '@41thexplorer, Microsoft Defender ATP'`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`date: 2018/11/20`
			`modified: 2018/12/11`
			`tags:`
			`- attack.execution`
			`- attack.t1085`
			`detection:`
			`condition: 1 of them`
			`level: high`
			`---`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection1:`
			`CommandLine: '*cyzfc.dat, PointFunctionCall'`
			`---`
			`# Sysmon: File Creation (ID 11)`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection2:`
			`EventID: 11`
			`TargetFilename:`
adding new rules detecting recently active APTs 2018-12-03 07:42:29 +00:00			`- 'ds7002.lnk'`