From 2c54d1afe40f68b25895828a020870c54a56ff81 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Mon, 18 Nov 2019 11:42:38 +0100
Subject: [PATCH] rule: removed Zebrocy rule because it doesn't work that way
 reason: command line gets split up at the '&' character, which results in two
 command lines

---
 rules/apt/apt_sofacy_zebrocy.yml | 20 --------------------
 1 file changed, 20 deletions(-)
 delete mode 100644 rules/apt/apt_sofacy_zebrocy.yml

diff --git a/rules/apt/apt_sofacy_zebrocy.yml b/rules/apt/apt_sofacy_zebrocy.yml
deleted file mode 100644
index 49a8df3b..00000000
--- a/rules/apt/apt_sofacy_zebrocy.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-title: Sofacy Zebrocy
-id: 8545cb01-102e-41ee-babd-46bd24e8cb97
-author: Florian Roth
-description: Detects Sofacy's Zebrocy malware execution
-references:
-    - https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
-tags:
-    - attack.execution
-    - attack.g0020
-    - attack.t1059
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical