mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
33 lines
995 B
YAML
33 lines
995 B
YAML
title: Lazarus Activity
|
|
id: 4a12fa47-c735-4032-a214-6fab5b120670
|
|
description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity
|
|
status: experimental
|
|
references:
|
|
- https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
|
|
tags:
|
|
- attack.g0032
|
|
author: Bhabesh Raj
|
|
date: 2021/04/20
|
|
modified: 2021/06/27
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection1:
|
|
CommandLine|contains|all:
|
|
- 'mshta'
|
|
- '.zip'
|
|
selection2:
|
|
ParentImage:
|
|
- 'C:\Windows\System32\wbem\wmiprvse.exe'
|
|
Image:
|
|
- 'C:\Windows\System32\mshta.exe'
|
|
selection3:
|
|
ParentImage|contains:
|
|
- ':\Users\Public\'
|
|
Image:
|
|
- 'C:\Windows\System32\rundll32.exe'
|
|
condition: 1 of them
|
|
falsepositives:
|
|
- Should not be any false positives
|
|
level: critical |