action: global
title: GALLIUM Artefacts
id: 440a56bf-7873-4439-940a-1c8a671073c2
status: experimental
description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
author: Tim Burrell
date: 2020/02/07
references:
    - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
tags:
    - attack.credential_access
    - attack.command_and_control
falsepositives:
    - unknown
level: high
---
logsource:
    product: windows
    category: process_creation
detection:
    exec_selection:
        sha1:
            - '53a44c2396d15c3a03723fa5e5db54cafd527635'
            - '9c5e496921e3bc882dc40694f1dcc3746a75db19'
            - 'aeb573accfd95758550cf30bf04f389a92922844'
            - '79ef78a797403a4ed1a616c68e07fff868a8650a'
            - '4f6f38b4cec35e895d91c052b1f5a83d665c2196'
            - '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d'
            - 'e841a63e47361a572db9a7334af459ddca11347a'
            - 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d'
            - '2e94b305d6812a9f96e6781c888e48c7fb157b6b'
            - 'dd44133716b8a241957b912fa6a02efde3ce3025'
            - '8793bf166cb89eb55f0593404e4e933ab605e803'
            - 'a39b57032dbb2335499a51e13470a7cd5d86b138'
            - '41cc2b15c662bc001c0eb92f6cc222934f0beeea'
            - 'd209430d6af54792371174e70e27dd11d3def7a7'
            - '1c6452026c56efd2c94cea7e0f671eb55515edb0'
            - 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a'
            - '4923d460e22fbbf165bbbaba168e5a46b8157d9f'
            - 'f201504bd96e81d0d350c3a8332593ee1c9e09de'
            - 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2'
    condition: exec_selection
---
logsource:
    product: windows
    service: dns-server
detection:
    c2_selection:
        EventID: 257
        QNAME: 
            - 'asyspy256.ddns.net'
            - 'hotkillmail9sddcc.ddns.net'
            - 'rosaf112.ddns.net'
            - 'cvdfhjh1231.myftp.biz'
            - 'sz2016rose.ddns.net'
            - 'dffwescwer4325.myftp.biz'
            - 'cvdfhjh1231.ddns.net'
    condition: c2_selection
---
logsource:
    product: windows
    category: process_creation
detection:
    legitimate_process_path:
        Image|contains:
            - ':\Program Files(x86)\'
            - ':\Program Files\'
    legitimate_executable:
        sha1:
            - 'e570585edc69f9074cb5e8a790708336bd45ca0f'
    condition: legitimate_executable and not legitimate_process_path