SigmaHQ/rules/windows/process_creation/win_apt_unidentified_nov_18.yml

action: global
title: Unidentified Attacker November 2018
id: 7453575c-a747-40b9-839b-125a0aae324b
status: stable
description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with
    YYTRIUM/APT29 campaign in 2016.
references:
    - https://twitter.com/DrunkBinary/status/1063075530180886529
author: '@41thexplorer, Microsoft Defender ATP'
date: 2018/11/20
modified: 2020/08/26
tags:
    - attack.execution
    - attack.t1218.011
    - attack.t1085  # an old one
detection:
    condition: 1 of them
level: high
---
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains: 'cyzfc.dat,'
        CommandLine|endswith: 'PointFunctionCall'
---
# Sysmon: File Creation (ID 11)
logsource:
    product: windows
    category: file_event
detection:
    selection2:
        TargetFilename|contains: 
            - 'ds7002.lnk'
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`action: global`
			`title: Unidentified Attacker November 2018`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 7453575c-a747-40b9-839b-125a0aae324b`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`status: stable`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with`
			`YYTRIUM/APT29 campaign in 2016.`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`references:`
			`- https://twitter.com/DrunkBinary/status/1063075530180886529`
MDATP schema changes WDATP was renamed to MDATP (Microsoft Defendre ATP). MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914 The updates reflect these changes 2020-03-09 16:12:41 +00:00			`author: '@41thexplorer, Microsoft Defender ATP'`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`date: 2018/11/20`
att&ck tags review: windows/process_creation part 2 2020-08-29 04:39:30 +00:00			`modified: 2020/08/26`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`tags:`
			`- attack.execution`
att&ck tags review: windows/process_creation part 2 2020-08-29 04:39:30 +00:00			`- attack.t1218.011`
			`- attack.t1085 # an old one`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`detection:`
			`condition: 1 of them`
			`level: high`
			`---`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection1:`
Update win_apt_unidentified_nov_18.yml 2020-11-27 02:26:18 +00:00			`CommandLine\|contains: 'cyzfc.dat,'`
			`CommandLine\|endswith: 'PointFunctionCall'`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`---`
			`# Sysmon: File Creation (ID 11)`
			`logsource:`
			`product: windows`
- Cleaned up some more rules where 'service: sysmon' was combined with category - Replaced 'service: sysmon' with category: ... for some more events to make the rules more product independent modified: rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml modified: rules/windows/malware/mal_azorult_reg.yml modified: rules/windows/powershell/powershell_suspicious_profile_create.yml modified: rules/windows/process_creation/sysmon_cmstp_execution.yml modified: rules/windows/process_creation/win_apt_chafer_mar18.yml modified: rules/windows/process_creation/win_apt_unidentified_nov_18.yml modified: rules/windows/process_creation/win_hktl_createminidump.yml modified: rules/windows/process_creation/win_mal_adwind.yml modified: rules/windows/process_creation/win_silenttrinity_stage_use.yml 2020-10-02 08:45:29 +00:00			`category: file_event`
Unified line terminators of rules to Unix 2019-11-12 22:05:36 +00:00			`detection:`
			`selection2:`
Update win_apt_unidentified_nov_18.yml 2020-10-15 20:36:20 +00:00			`TargetFilename\|contains:`
			`- 'ds7002.lnk'`