valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f57f5931ed
SigmaHQ/rules/windows/process_creation/win_apt_chafer_mar18.yml

78 lines
2.0 KiB
YAML
Executable File
Raw Blame History

action: global
title: Chafer Activity
id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
tags:
- attack.persistence
- attack.g0049
- attack.t1053 # an old one
- attack.t1053.005
- attack.s0111
- attack.t1050 # an old one
- attack.t1543.003
- attack.defense_evasion
- attack.t1112
- attack.command_and_control
- attack.t1071 # an old one
- attack.t1071.004
date: 2018/03/23
modified: 2020/08/26
author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
detection:
condition: 1 of them
falsepositives:
- Unknown
level: critical
---
logsource:
product: windows
service: system
detection:
selection_service:
EventID: 7045
ServiceName:
- 'SC Scheduled Scan'
- 'UpdatMachine'
---
logsource:
product: windows
service: security
detection:
selection_service:
EventID: 4698
TaskName:
- 'SC Scheduled Scan'
- 'UpdatMachine'
---
logsource:
category: registry_event
product: windows
detection:
selection_reg1:
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
---
logsource:
category: process_creation
product: windows
detection:
selection_process0:
CommandLine|contains: '\Service.exe'
CommandLine|endswith:
- 'i'
- 'u'
selection_process1:
- CommandLine|endswith: '\microsoft\Taskbar\autoit3.exe'
- CommandLine|startswith: 'C:\wsc.exe'
selection_process2:
Image|contains: '\Windows\Temp\DB\'
Image|endswith: '.exe'
selection_process3:
CommandLine|contains|all:
- '\nslookup.exe'
- '-q=TXT'
ParentImage|contains: '\Autoit'
Reference in New Issue View Git Blame Copy Permalink