valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Hurricane Panda activity

Browse Source 
https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
This commit is contained in:
Florian Roth 2018-02-25 17:24:00 +01:00
parent 1001afb038
commit f2057f0c77
1 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
rules/apt/apt_hurricane_panda.yml Normal file
View File

@ -0,0 +1,35 @@
---
action: global
title: Hurricane Panda Activity
status: experimental
description: Detects Hurricane Panda Activity
references:
- https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
author: Florian Roth
date: 2018/02/25
detection:
selection:
CommandLine:
- '* localgroup administrators admin /add'
- '*\Win64.exe*'
condition: selection1 or selection2
falsepositives:
- Unknown
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688