mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
36 lines
978 B
YAML
36 lines
978 B
YAML
action: global
|
|
title: Unidentified Attacker November 2018
|
|
id: 7453575c-a747-40b9-839b-125a0aae324b
|
|
status: stable
|
|
description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with
|
|
YYTRIUM/APT29 campaign in 2016.
|
|
references:
|
|
- https://twitter.com/DrunkBinary/status/1063075530180886529
|
|
author: '@41thexplorer, Microsoft Defender ATP'
|
|
date: 2018/11/20
|
|
modified: 2020/08/26
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1218.011
|
|
- attack.t1085 # an old one
|
|
detection:
|
|
condition: 1 of them
|
|
level: high
|
|
---
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection1:
|
|
CommandLine|contains: 'cyzfc.dat,'
|
|
CommandLine|endswith: 'PointFunctionCall'
|
|
---
|
|
# Sysmon: File Creation (ID 11)
|
|
logsource:
|
|
product: windows
|
|
category: file_event
|
|
detection:
|
|
selection2:
|
|
TargetFilename|contains:
|
|
- 'ds7002.lnk'
|