SigmaHQ/rules/apt/apt_elise.yml

title: Elise Backdoor
status: experimental
description: Detects Elise backdoor acitivty as used by APT32 
references: 
    - https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting
tags:
    - attack.g0030
    - attack.g0050
    - attack.s0081
author: Florian Roth
date: 2018/01/31
logsource:
    product: windows
    service: sysmon
detection:
    selection1:
        EventID: 1
        Image: 'C:\Windows\SysWOW64\cmd.exe'
        CommandLine: '*\Windows\Caches\NavShExt.dll *'
    selection2:
        EventID: 1
        CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
    condition: 1 of them
falsepositives:
    - Unknown
level: critical
Rule: APT32 Elise 2018-01-31 22:11:37 +00:00			`title: Elise Backdoor`
			`status: experimental`
			`description: Detects Elise backdoor acitivty as used by APT32`
Changed reference to references in Elise rule 2018-01-31 22:13:00 +00:00			`references:`
			`- https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting`
Add tags to APT rules 2018-07-25 07:50:01 +00:00			`tags:`
			`- attack.g0030`
			`- attack.g0050`
			`- attack.s0081`
Rule: APT32 Elise 2018-01-31 22:11:37 +00:00			`author: Florian Roth`
			`date: 2018/01/31`
Changed Elise backdoor rule 2018-02-25 16:25:04 +00:00			`logsource:`
			`product: windows`
			`service: sysmon`
Rule: APT32 Elise 2018-01-31 22:11:37 +00:00			`detection:`
			`selection1:`
			`EventID: 1`
			`Image: 'C:\Windows\SysWOW64\cmd.exe'`
			`CommandLine: '\Windows\Caches\NavShExt.dll '`
			`selection2:`
			`EventID: 1`
			`CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'`
Simplified rule conditions with new condition constructs 2018-03-06 22:14:43 +00:00			`condition: 1 of them`
Rule: APT32 Elise 2018-01-31 22:11:37 +00:00			`falsepositives:`
			`- Unknown`
			`level: critical`