SigmaHQ/rules/apt/apt_apt29_tor.yml

title: APT29 Google Update Service Install
description: 'This method detects a service install of malicious services mentioned in APT29 report by FireEye' 
reference: https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 7045
        ServiceName: 'Google Update'
    condition: selection
falsepositives:
    - Unknown
level: high
Rule: APT29 Google Update service install 2017-03-31 17:31:13 +00:00			`title: APT29 Google Update Service Install`
			`description: 'This method detects a service install of malicious services mentioned in APT29 report by FireEye'`
			`reference: https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html`
			`logsource:`
			`product: windows`
			`service: system`
			`detection:`
			`selection:`
			`EventID: 7045`
			`ServiceName: 'Google Update'`
			`condition: selection`
			`falsepositives:`
			`- Unknown`
			`level: high`