title: Turla ComRAT
id: 7857f021-007f-4928-8b2c-7aedbe64bb82
status: experimental
description: Detects Turla ComRAT patterns
references:
    - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
author: Florian Roth
date: 2020/05/26
modified: 2020/09/03
tags:
    - attack.defense_evasion
    - attack.command_and_control
    - attack.t1071.001
    - attack.t1043  # an old one
    - attack.g0010
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains: '/index/index.php?h='
    condition: selection
falsepositives:
    - Unknown
level: critical