mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 17:35:19 +00:00
31 lines
1.0 KiB
YAML
Executable File
31 lines
1.0 KiB
YAML
Executable File
title: Turla Group Named Pipes
|
|
status: experimental
|
|
description: Detects a named pipe used by Turla group samples
|
|
references:
|
|
- Internal Research
|
|
date: 2017/11/06
|
|
tags:
|
|
- attack.g0010
|
|
author: Markus Neis
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
definition: 'Note that you have to configure logging for PipeEvents in Symson config'
|
|
detection:
|
|
selection:
|
|
EventID:
|
|
- 17
|
|
- 18
|
|
PipeName:
|
|
- '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
|
|
- '\userpipe' # ruag apt case
|
|
- '\iehelper' # ruag apt case
|
|
- '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
|
|
- '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
|
|
# - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483
|
|
condition: selection
|
|
falsepositives:
|
|
- Unkown
|
|
level: critical
|
|
|