Fireball Sigma Rule

rules/apt/crime_fireball.yml

@@ -0,0 +1,19 @@
+title: Detects Fireball - archer.dll 
+status: experimental
+description: Detects suspicious Rundll32 execution 
+author: Florian Roth
+date: 2017/06/03
+reference: 
+    - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
+    - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: '*\rundll32.exe *,InstallArcherSvc'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high