valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1998 from SigmaHQ/rule-devel

Browse Source 
PRIVATELOG image load
This commit is contained in:
Florian Roth 2021-09-07 12:08:46 +02:00 committed by GitHub
commit 10726bbb1f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
rules/windows/image_load/win_susp_svchost_clfsw32.yml Normal file
View File

@ -0,0 +1,19 @@
title: APT PRIVATELOG Image Load Pattern
id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc
status: experimental
description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
references:
- https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html
author: Florian Roth
date: 2021/09/07
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\svchost.exe'
ImageLoaded|endswith: '\clfsw32.dll'
condition: selection
falsepositives:
- Rarely observed
level: high