mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
28dc2a2267
hints: - contains doesn't require wildcards in the strings - we can use 'endswith' instead of wildcard at the beginning of the string (it's the new way to describe it, we have to change all old rules that contain these wildcards some day) - we can use "1 of them" to say that 1 of the conditions has to match
45 lines
985 B
YAML
45 lines
985 B
YAML
action: global
|
|
title: Blue Mockingbird
|
|
id: c3198a27-23a0-4c2c-af19-e5328d49680e
|
|
status: experimental
|
|
description: Attempts to detect system changes made by Blue Mockingbird
|
|
references:
|
|
- https://redcanary.com/blog/blue-mockingbird-cryptominer/
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1112
|
|
- attack.t1047
|
|
author: Trent Liffick (@tliffick)
|
|
date: 2020/05/14
|
|
falsepositives:
|
|
- unknown
|
|
level: high
|
|
condition: 1 of them
|
|
---
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
exec_selection:
|
|
Image|endswith: '\cmd.exe'
|
|
CommandLine|contains|all:
|
|
- 'sc config'
|
|
- 'wercplsupporte.dll'
|
|
---
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
wmic_cmd:
|
|
Image|endswith: '\wmic.exe'
|
|
CommandLine|endswith: 'COR_PROFILER'
|
|
---
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
mod_reg:
|
|
EventID: 13
|
|
TargetObject|endswith:
|
|
- '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
|