Sigma queries for

-- terminating threads in a svchost process (InvokePhantom uses this technique to disable windows event logging)
-- GALLIUM threat intel IOCs in recent MSTIC blog/release.

rules/apt/apt_gallium.yml

@@ -0,0 +1,59 @@
+action: global
+title: GALLIUM artefacts
+id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
+status: experimental
+description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
+author: Tim Burrell
+references:
+    - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
+    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
+tags:
+    - attack.credential_access
+    - attack.command_and_control
+falsepositives:
+    - unknown
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    exec_selection:
+        EventID: 1
+        Hashes:
+            - '*53a44c2396d15c3a03723fa5e5db54cafd527635*'
+            - '*9c5e496921e3bc882dc40694f1dcc3746a75db19*'
+            - '*aeb573accfd95758550cf30bf04f389a92922844*'
+            - '*79ef78a797403a4ed1a616c68e07fff868a8650a*'
+            - '*4f6f38b4cec35e895d91c052b1f5a83d665c2196*'
+            - '*1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d*'
+            - '*e841a63e47361a572db9a7334af459ddca11347a*'
+            - '*c28f606df28a9bc8df75a4d5e5837fc5522dd34d*'
+            - '*2e94b305d6812a9f96e6781c888e48c7fb157b6b*'
+            - '*dd44133716b8a241957b912fa6a02efde3ce3025*'
+            - '*8793bf166cb89eb55f0593404e4e933ab605e803*'
+            - '*a39b57032dbb2335499a51e13470a7cd5d86b138*'
+            - '*41cc2b15c662bc001c0eb92f6cc222934f0beeea*'
+            - '*d209430d6af54792371174e70e27dd11d3def7a7*'
+            - '*1c6452026c56efd2c94cea7e0f671eb55515edb0*'
+            - '*c6b41d3afdcdcaf9f442bbe772f5da871801fd5a*'
+            - '*4923d460e22fbbf165bbbaba168e5a46b8157d9f*'
+            - '*f201504bd96e81d0d350c3a8332593ee1c9e09de*'
+            - '*ddd2db1127632a2a52943a2fe516a2e7d05d70d2*'
+    condition: exec_selection
+---
+logsource:
+    product: windows
+    service: dns-server
+detection:
+    c2_selection:
+        EventID: 257
+        QNAME: 
+            - 'asyspy256.ddns.net'
+            - 'hotkillmail9sddcc.ddns.net'
+            - 'rosaf112.ddns.net'
+            - 'cvdfhjh1231.myftp.biz'
+            - 'sz2016rose.ddns.net'
+            - 'dffwescwer4325.myftp.biz'
+            - 'cvdfhjh1231.ddns.net'
+    condition: c2_selection

rules/windows/sysmon/sysmon_invoke_phantom.yml

@@ -0,0 +1,25 @@
+title: Suspect svchost memory access
+id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
+status: experimental
+description: Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.
+author: Tim Burrell
+references:
+    - https://github.com/hlldz/Invoke-Phant0m
+    - https://twitter.com/timbmsft/status/900724491076214784
+tags:
+    - attack.t1089
+    - attack.defense_evasion
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 10
+        TargetImage: '*\windows\system32\svchost.exe'
+        GrantedAccess: '0x1f3fff'
+        CallTrace:
+         - '*unknown*'
+    condition: selection
+falsepositives:
+    - unknown
+level: high