mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
080532d20c
I've swapped the lines in the logsource section to make it clearer that the category "process_creation" covers all sources that generate process creation logs on the windows platform.
73 lines
2.6 KiB
YAML
73 lines
2.6 KiB
YAML
action: global
|
|
title: GALLIUM Artefacts
|
|
id: 440a56bf-7873-4439-940a-1c8a671073c2
|
|
status: experimental
|
|
description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
|
|
author: Tim Burrell
|
|
date: 2020/02/07
|
|
references:
|
|
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
|
|
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.command_and_control
|
|
falsepositives:
|
|
- unknown
|
|
level: high
|
|
---
|
|
logsource:
|
|
product: windows
|
|
category: process_creation
|
|
detection:
|
|
exec_selection:
|
|
sha1:
|
|
- '53a44c2396d15c3a03723fa5e5db54cafd527635'
|
|
- '9c5e496921e3bc882dc40694f1dcc3746a75db19'
|
|
- 'aeb573accfd95758550cf30bf04f389a92922844'
|
|
- '79ef78a797403a4ed1a616c68e07fff868a8650a'
|
|
- '4f6f38b4cec35e895d91c052b1f5a83d665c2196'
|
|
- '1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d'
|
|
- 'e841a63e47361a572db9a7334af459ddca11347a'
|
|
- 'c28f606df28a9bc8df75a4d5e5837fc5522dd34d'
|
|
- '2e94b305d6812a9f96e6781c888e48c7fb157b6b'
|
|
- 'dd44133716b8a241957b912fa6a02efde3ce3025'
|
|
- '8793bf166cb89eb55f0593404e4e933ab605e803'
|
|
- 'a39b57032dbb2335499a51e13470a7cd5d86b138'
|
|
- '41cc2b15c662bc001c0eb92f6cc222934f0beeea'
|
|
- 'd209430d6af54792371174e70e27dd11d3def7a7'
|
|
- '1c6452026c56efd2c94cea7e0f671eb55515edb0'
|
|
- 'c6b41d3afdcdcaf9f442bbe772f5da871801fd5a'
|
|
- '4923d460e22fbbf165bbbaba168e5a46b8157d9f'
|
|
- 'f201504bd96e81d0d350c3a8332593ee1c9e09de'
|
|
- 'ddd2db1127632a2a52943a2fe516a2e7d05d70d2'
|
|
condition: exec_selection
|
|
---
|
|
logsource:
|
|
product: windows
|
|
service: dns-server
|
|
detection:
|
|
c2_selection:
|
|
EventID: 257
|
|
QNAME:
|
|
- 'asyspy256.ddns.net'
|
|
- 'hotkillmail9sddcc.ddns.net'
|
|
- 'rosaf112.ddns.net'
|
|
- 'cvdfhjh1231.myftp.biz'
|
|
- 'sz2016rose.ddns.net'
|
|
- 'dffwescwer4325.myftp.biz'
|
|
- 'cvdfhjh1231.ddns.net'
|
|
condition: c2_selection
|
|
---
|
|
logsource:
|
|
product: windows
|
|
category: process_creation
|
|
detection:
|
|
legitimate_process_path:
|
|
Image|contains:
|
|
- ':\Program Files(x86)\'
|
|
- ':\Program Files\'
|
|
legitimate_executable:
|
|
sha1:
|
|
- 'e570585edc69f9074cb5e8a790708336bd45ca0f'
|
|
condition: legitimate_executable and not legitimate_process_path
|