SigmaHQ/rules/windows/process_creation/win_hack_koadic.yml

title: Koadic Execution
id: 5cddf373-ef00-4112-ad72-960ac29bac34
status: experimental
description: Detects command line parameters used by Koadic hack tool
references:
    - https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
    - https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955
    - https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
tags:
    - attack.execution
    - attack.t1170
    - attack.t1218.005
date: 2020/01/12
author: wagga
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine:
            - '*cmd.exe* /q /c chcp *'
    condition: selection1
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Pentest
level: high
New Koadic detection rule 2020-02-16 15:48:49 +00:00			`title: Koadic Execution`
			`id: 5cddf373-ef00-4112-ad72-960ac29bac34`
			`status: experimental`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`description: Detects command line parameters used by Koadic hack tool`
New Koadic detection rule 2020-02-16 15:48:49 +00:00			`references:`
			`- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/`
			`- https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955`
			`- https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/`
			`tags:`
			`- attack.execution`
			`- attack.t1170`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1218.005`
New Koadic detection rule 2020-02-16 15:48:49 +00:00			`date: 2020/01/12`
			`author: wagga`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection1:`
			`CommandLine:`
			`- 'cmd.exe /q /c chcp *'`
			`condition: selection1`
			`fields:`
			`- CommandLine`
			`- ParentCommandLine`
			`falsepositives:`
			`- Pentest`
level increased 2020-02-26 08:42:31 +00:00			`level: high`