SigmaHQ/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml

title: Lazarus Acitivity
id: 24c4d154-05a4-4b99-b57d-9b977472443a
description: Detects different loaders as described in various threat reports on Lazarus group activity
status: experimental
references:
    - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
    - https://www.hvs-consulting.de/lazarus-report/
tags:
    - attack.g0032
author: Florian Roth
date: 2020/12/23
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains:
            - 'reg.exe save hklm\sam %temp%\~reg_sam.save'
            - '1q2w3e4r@#$@#$@#$'
            - ' -hp1q2w3e4 '
            - '.dat data03 10000 -p '
    selection2:
        CommandLine|contains|all:
            - 'process call create'
            - ' > %temp%\~'
    selection3:
        CommandLine|contains|all:
            - 'netstat -aon | find '
            - ' > %temp%\~'
    # Network share discovery
    selection4:
        CommandLine|contains:
            - '.255 10 C:\ProgramData\\'
    condition: 1 of them
falsepositives:
    - Overlap with legitimate process activity in some cases (especially selection 3 and 4)
level: critical
rule: Lazarus activity 2020-12-23 13:43:32 +00:00			`title: Lazarus Acitivity`
			`id: 24c4d154-05a4-4b99-b57d-9b977472443a`
			`description: Detects different loaders as described in various threat reports on Lazarus group activity`
			`status: experimental`
			`references:`
			`- https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/`
			`- https://www.hvs-consulting.de/lazarus-report/`
			`tags:`
			`- attack.g0032`
			`author: Florian Roth`
			`date: 2020/12/23`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection1:`
			`CommandLine\|contains:`
			`- 'reg.exe save hklm\sam %temp%\~reg_sam.save'`
			`- '1q2w3e4r@#$@#$@#$'`
			`- ' -hp1q2w3e4 '`
			`- '.dat data03 10000 -p '`
			`selection2:`
			`CommandLine\|contains\|all:`
			`- 'process call create'`
			`- ' > %temp%\~'`
			`selection3:`
			`CommandLine\|contains\|all:`
			`- 'netstat -aon \| find '`
			`- ' > %temp%\~'`
			`# Network share discovery`
			`selection4:`
			`CommandLine\|contains:`
			`- '.255 10 C:\ProgramData\\'`
			`condition: 1 of them`
			`falsepositives:`
			`- Overlap with legitimate process activity in some cases (especially selection 3 and 4)`
			`level: critical`