action: global
title: Unidentified Attacker November 2018
id: 7453575c-a747-40b9-839b-125a0aae324b
status: stable
description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with
    YYTRIUM/APT29 campaign in 2016.
references:
    - https://twitter.com/DrunkBinary/status/1063075530180886529
author: '@41thexplorer, Microsoft Defender ATP'
date: 2018/11/20
modified: 2018/12/11
tags:
    - attack.execution
    - attack.t1085
detection:
    condition: 1 of them
level: high
---
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine: '*cyzfc.dat, PointFunctionCall'
---
# Sysmon: File Creation (ID 11)
logsource:
    product: windows
    service: sysmon
detection:
    selection2:
        EventID: 11
        TargetFilename: 
            - '*ds7002.lnk*'