SigmaHQ/rules/apt/apt_apt29_tor.yml

---
action: global
title: APT29 Google Update Service Install
description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' 
references:
    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
tags:
    - attack.command_and_control
    - attack.g0016
    - attack.t1172
logsource:
    product: windows
    service: system
detection:
    service_install:
        EventID: 7045
        ServiceName: 'Google Update'
    timeframe: 5m
    condition: service_install | near process
falsepositives:
    - Unknown
level: high

---
logsource:
    category: process_creation
    product: windows
detection:
    process:
        Image: 
            - 'C:\Program Files(x86)\Google\GoogleService.exe'
            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
Missing separator 2018-03-05 10:29:42 +00:00			`---`
Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 21:12:14 +00:00			`action: global`
Rule: APT29 Google Update service install 2017-03-31 17:31:13 +00:00			`title: APT29 Google Update Service Install`
APT 29 - tor / google update service 2017-04-01 08:30:36 +00:00			`description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.'`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html`
Add tags to APT rules 2018-07-25 07:50:01 +00:00			`tags:`
			`- attack.command_and_control`
			`- attack.g0016`
			`- attack.t1172`
Updated to use the new process_creation logsource 2019-03-04 13:13:27 +00:00			`logsource:`
			`product: windows`
Fixing failed CI build 2019-03-04 13:44:30 +00:00			`service: system`
Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 21:12:14 +00:00			`detection:`
Fixing failed CI build 2019-03-04 13:44:30 +00:00			`service_install:`
Updated to use the new process_creation logsource 2019-03-04 13:13:27 +00:00			`EventID: 7045`
			`ServiceName: 'Google Update'`
Fixing failed CI build - take 2 2019-03-04 13:51:39 +00:00			`timeframe: 5m`
			`condition: service_install \| near process`
			`falsepositives:`
			`- Unknown`
			`level: high`

Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 21:12:14 +00:00			`---`
Updated to use the new process_creation logsource 2019-03-04 13:13:27 +00:00			`logsource:`
			`category: process_creation`
			`product: windows`
Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 21:12:14 +00:00			`detection:`
			`process:`
			`Image:`
			`- 'C:\Program Files(x86)\Google\GoogleService.exe'`
			`- 'C:\Program Files(x86)\Google\GoogleUpdate.exe'`