SigmaHQ/rules/windows/process_creation/win_apt_bluemashroom.yml

title: BlueMashroom DLL Load
status: experimental
description: Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report
references:
    - 'https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software'
tags:
    - attack.defense_evasion
    - attack.t1117
author: Florian Roth
date: 2019/10/02
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine: 
            - '*\regsrv32*\AppData\Local\*,*'
            - '*\AppData\Local\*,DllEntry*'
    condition: selection
falsepositives:
    - Unlikely
level: critical
fix: fixed typo in APT group name 2019-10-02 12:02:07 +00:00			`title: BlueMashroom DLL Load`
rule: APT blue mushroom 2019-10-02 11:57:14 +00:00			`status: experimental`
fix: fixed typo in APT group name 2019-10-02 12:02:07 +00:00			`description: Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report`
rule: APT blue mushroom 2019-10-02 11:57:14 +00:00			`references:`
			`- 'https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software'`
			`tags:`
			`- attack.defense_evasion`
			`- attack.t1117`
			`author: Florian Roth`
			`date: 2019/10/02`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
rule: extended the command line in bluemashroom rule 2019-10-02 12:03:34 +00:00			`CommandLine:`
			`- '\regsrv32\AppData\Local\,'`
			`- '\AppData\Local\,DllEntry*'`
rule: APT blue mushroom 2019-10-02 11:57:14 +00:00			`condition: selection`
			`falsepositives:`
			`- Unlikely`
			`level: critical`