SigmaHQ/rules/windows/process_creation/win_crime_fireball.yml

29 lines
845 B
YAML
Raw Normal View History

2018-01-27 09:57:30 +00:00
title: Fireball Archer Install
2019-11-12 22:12:27 +00:00
id: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d
2017-06-03 12:48:47 +00:00
status: experimental
2017-06-03 12:53:08 +00:00
description: Detects Archer malware invocation via rundll32
2017-06-03 12:48:47 +00:00
author: Florian Roth
date: 2017/06/03
modified: 2020/08/29
references:
2017-06-03 12:48:47 +00:00
- https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
- https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
2019-03-13 10:10:12 +00:00
tags:
- attack.execution
2019-03-13 10:22:38 +00:00
- attack.defense_evasion
2020-06-16 20:46:08 +00:00
- attack.t1218.011
- attack.t1085 # an old one
2017-06-03 12:48:47 +00:00
logsource:
category: process_creation
2017-06-03 12:48:47 +00:00
product: windows
detection:
selection:
CommandLine: '*\rundll32.exe *,InstallArcherSvc'
2017-06-03 12:53:08 +00:00
condition: selection
2017-09-12 21:54:04 +00:00
fields:
- CommandLine
- ParentCommandLine
2017-06-03 12:48:47 +00:00
falsepositives:
- Unknown
level: high