SigmaHQ/rules/windows/process_creation/win_apt_winnti_pipemon.yml
2020-11-26 23:29:10 -03:00

32 lines
875 B
YAML

title: Winnti Pipemon Characteristics
id: 73d70463-75c9-4258-92c6-17500fe972f2
status: experimental
description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET
references:
- https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
tags:
- attack.defense_evasion
- attack.t1574.002
- attack.t1073 # an old one
- attack.g0044
author: Florian Roth, oscd.community
date: 2020/07/30
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- 'setup0.exe -p'
selection2:
CommandLine|contains|all:
- 'setup.exe'
CommandLine|endswith:
- '-x:0'
- '-x:1'
- '-x:2'
condition: 1 of them
falsepositives:
- Legitimate setups that use similar flags
level: critical