SigmaHQ/rules/apt/apt_zxshell.yml

title: ZxShell Malware
description: Detects a ZxShell start by the called and well-known function name   
author: Florian Roth
references:
    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
tags:
    - attack.g0001
    - attack.execution
    - attack.t1059
    - attack.defense_evasion
    - attack.t1085
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Command: 
            - 'rundll32.exe *,zxFunction*'
            - 'rundll32.exe *,RemoteDiskXXXXX'
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Unlikely
level: critical
ZxShell 2017-07-20 18:36:24 +00:00			`title: ZxShell Malware`
			`description: Detects a ZxShell start by the called and well-known function name`
			`author: Florian Roth`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100`
Add tags to APT rules 2018-07-25 07:50:01 +00:00			`tags:`
			`- attack.g0001`
add tags to apt zxshell rule 2019-03-13 10:09:05 +00:00			`- attack.execution`
			`- attack.t1059`
fixed tag typo on rules 2019-03-13 10:22:38 +00:00			`- attack.defense_evasion`
add tags to apt zxshell rule 2019-03-13 10:09:05 +00:00			`- attack.t1085`
ZxShell 2017-07-20 18:36:24 +00:00			`logsource:`
Converted to use the new process_creation data source 2019-03-09 17:57:59 +00:00			`category: process_creation`
ZxShell 2017-07-20 18:36:24 +00:00			`product: windows`
			`detection:`
			`selection:`
			`Command:`
			`- 'rundll32.exe ,zxFunction'`
			`- 'rundll32.exe *,RemoteDiskXXXXX'`
			`condition: selection`
Added field names to first rules 2017-09-12 21:54:04 +00:00			`fields:`
			`- CommandLine`
			`- ParentCommandLine`
ZxShell 2017-07-20 18:36:24 +00:00			`falsepositives:`
			`- Unlikely`
			`level: critical`