SigmaHQ/rules/windows/process_creation/win_apt_ta17_293a_ps.yml

24 lines
700 B
YAML
Executable File

title: Ps.exe Renamed SysInternals Tool
id: 18da1007-3f26-470f-875d-f77faf1cab31
description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
references:
- https://www.us-cert.gov/ncas/alerts/TA17-293A
tags:
- attack.defense_evasion
- attack.g0035
- attack.t1036 # an old one
- attack.t1036.003
- car.2013-05-009
author: Florian Roth
date: 2017/10/22
modified: 2020/08/27
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: 'ps.exe -accepteula'
condition: selection
falsepositives:
- Renamed SysInternals tool
level: high