valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3eaf4d6e94
SigmaHQ/rules/apt/apt_oceanlotus_registry.yml
megan201296 74fce5f511
Create apt_oceanlotus_registry.yml 
Rule based on https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/. Based on OSINT, these keys are unique to the oceanlotus activity and not at all legitimate.
2019-04-14 12:01:52 -05:00

28 lines
1.0 KiB
YAML
Raw Blame History

title: OceanLotus Registry Activity
status: experimental
description: Detects registry keys created in OceanLotus (also known as APT32) attacks
references:
- https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
tags:
- attack.t1112
author: megan201296
date: 2019/04/14
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
TargetObject:
- '*\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
- '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application'
- '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon'
- '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application'
- '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon'
- '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application'
- '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon'
condition: selection
falsepositives:
- Unknown
level: critical
Reference in New Issue View Git Blame Copy Permalink