rule: winnti group campaign against HK universities

rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml

@@ -0,0 +1,33 @@
+title: Winnti Malware HK University Campaign
+id: 3121461b-5aa0-4a41-b910-66d25524edbb
+status: experimental
+description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
+references:
+    - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
+tags:
+    - attack.defense_evasion
+    - attack.t1073
+    - attack.g0044
+author: Florian Roth
+date: 2020/02/01
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        ParentImage|contains: 
+          - 'C:\Windows\Temp'
+          - '\hpqhvind.exe'
+        Image|startswith: 'C:\ProgramData\DRM'
+    selection2:
+        ParentImage|startswith: 'C:\ProgramData\DRM'
+        Image|endswith: '\wmplayer.exe'
+    selection3:
+        ParentImage|endswith: '\Test.exe'
+        Image|endswith: '\wmplayer.exe'
+    selection4:
+        Image: 'C:\ProgramData\DRM\CLR\CLR.exe'
+    condition: 1 of them
+falsepositives:
+    - Unlikely
+level: critical