adding new rules detecting recently active APTs

2024-11-06 17:35:19 +00:00 · 2018-12-03 09:42:29 +02:00 · 2018-12-03 09:42:29 +02:00 · 9f1df6164b
commit 9f1df6164b
parent 2ebbdebe46
2 changed files with 78 additions and 0 deletions
--- a/rules/apt/apt_tropictrooper.yml
+++ b/rules/apt/apt_tropictrooper.yml
@ -0,0 +1,34 @@
+action: global
+title: TropicTrooper Campaign November 2018
+status: stable
+description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
+references:
+    - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
+author: 
+  - "@41thexplorer, Windows Defender ATP"
+date: 2018/11/30
+tags:
+    - attack.execution
+    - attack.t1085
+detection:
+    condition: selection
+level: high
+---
+# Windows Security Eventlog: Process Creation with Full Command Line
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
+---
+# Sysmon: Process Creation (ID 1)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
--- a/rules/apt/apt_unidentified_nov_18.yml
+++ b/rules/apt/apt_unidentified_nov_18.yml
@ -0,0 +1,44 @@
+action: global
+title: Unidentified Attacker November 2018
+status: stable
+description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.
+references:
+    - https://twitter.com/DrunkBinary/status/1063075530180886529
+author: 
+    - "@41thexplorer, Windows Defender ATP"
+date: 2018/11/20
+tags:
+    - attack.execution
+    - attack.t1085
+detection:
+    condition: selection
+level: high
+---
+# Windows Security Eventlog: Process Creation with Full Command Line
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        CommandLine: '*cyzfc.dat, PointFunctionCall'
+---
+# Sysmon: Process Creation (ID 1)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: '*cyzfc.dat, PointFunctionCall'
+---
+# Sysmon: File Creation (ID 11)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 11
+        TargetFilename: 
+            - '*ds7002.lnk*'