SigmaHQ/rules/windows/process_creation/win_apt_chafer_mar18.yml

74 lines
1.8 KiB
YAML
Raw Normal View History

action: global
title: Chafer Activity
2019-11-12 22:12:27 +00:00
id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
2018-07-25 07:50:01 +00:00
tags:
2019-03-01 10:23:02 +00:00
- attack.persistence
2018-07-25 07:50:01 +00:00
- attack.g0049
2019-03-01 10:23:02 +00:00
- attack.t1053
- attack.s0111
- attack.defense_evasion
- attack.t1112
2018-03-23 09:50:40 +00:00
date: 2018/03/23
2019-03-01 12:36:54 +00:00
modified: 2019/03/01
2018-03-23 09:50:40 +00:00
author: Florian Roth, Markus Neis
detection:
condition: 1 of them
falsepositives:
- Unknown
level: critical
---
2019-03-01 12:36:54 +00:00
logsource:
product: windows
service: system
detection:
selection_service:
EventID: 7045
ServiceName:
- 'SC Scheduled Scan'
- 'UpdatMachine'
---
logsource:
product: windows
2019-03-01 10:23:02 +00:00
service: security
detection:
selection_service:
2019-03-01 10:23:02 +00:00
EventID: 4698
TaskName:
- 'SC Scheduled Scan'
- 'UpdatMachine'
---
logsource:
product: windows
service: sysmon
detection:
selection_reg1:
EventID: 13
TargetObject:
- '*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
- '*SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
EventType: 'SetValue'
selection_reg2:
EventID: 13
2018-03-23 09:50:40 +00:00
TargetObject: '*\Control\SecurityProviders\WDigest\UseLogonCredential'
EventType: 'SetValue'
Details: 'DWORD (0x00000001)'
---
logsource:
category: process_creation
product: windows
detection:
selection_process1:
CommandLine:
- '*\Service.exe i'
- '*\Service.exe u'
- '*\microsoft\Taskbar\autoit3.exe'
- 'C:\wsc.exe*'
selection_process2:
2019-02-02 23:24:57 +00:00
Image: '*\Windows\Temp\DB\\*.exe'
2018-03-23 09:50:40 +00:00
selection_process3:
CommandLine: '*\nslookup.exe -q=TXT*'
2019-02-02 23:24:57 +00:00
ParentImage: '*\Autoit*'