SigmaHQ/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml

title: Turla Group Named Pipes
id: 739915e4-1e70-4778-8b8a-17db02f66db1
status: experimental
description: Detects a named pipe used by Turla group samples
references:
    - Internal Research
date: 2017/11/06
tags:
    - attack.g0010
author: Markus Neis
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for PipeEvents in Symson config'
detection:
    selection:
        PipeName: 
            - '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
            - '\userpipe' # ruag apt case
            - '\iehelper' # ruag apt case
            - '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
            - '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
            # - '\rpc'  # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483
    condition: selection
falsepositives:
    - Unknown
level: critical
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`title: Turla Group Named Pipes`
			`id: 739915e4-1e70-4778-8b8a-17db02f66db1`
Sysmon: Named Pipe detection for Turla malware by @markus_neis 2017-11-06 13:22:09 +00:00			`status: experimental`
			`description: Detects a named pipe used by Turla group samples`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- Internal Research`
Sysmon: Named Pipe detection for Turla malware by @markus_neis 2017-11-06 13:22:09 +00:00			`date: 2017/11/06`
Add tags to APT rules 2018-07-25 07:50:01 +00:00			`tags:`
			`- attack.g0010`
Sysmon: Named Pipe detection for Turla malware by @markus_neis 2017-11-06 13:22:09 +00:00			`author: Markus Neis`
			`logsource:`
			`product: windows`
- Created new categories for sysmon events - Replaced the explicit EventIDs with the reference to the category - Moved the rules to the corresponding directories 2020-09-30 18:44:14 +00:00			`category: pipe_created`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 06:00:06 +00:00			`definition: 'Note that you have to configure logging for PipeEvents in Symson config'`
Sysmon: Named Pipe detection for Turla malware by @markus_neis 2017-11-06 13:22:09 +00:00			`detection:`
			`selection:`
			`PipeName:`
			`- '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection`
			`- '\userpipe' # ruag apt case`
			`- '\iehelper' # ruag apt case`
			`- '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra`
			`- '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra`
			`# - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483`
			`condition: selection`
			`falsepositives:`
fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00			`- Unknown`
Sysmon: Named Pipe detection for Turla malware by @markus_neis 2017-11-06 13:22:09 +00:00			`level: critical`