Permalink
yt0ng
additional execution observed
0d7f559
Feb 1, 2020
Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign up
Find file
Copy path
sigma/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml
Find file
Copy path
| title: Winnti Malware HK University Campaign | |
| id: 3121461b-5aa0-4a41-b910-66d25524edbb | |
| status: experimental | |
| description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities | |
| references: | |
| - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ | |
| tags: | |
| - attack.defense_evasion | |
| - attack.t1073 | |
| - attack.g0044 | |
| author: Florian Roth, Markus Neis | |
| date: 2020/02/01 | |
| logsource: | |
| category: process_creation | |
| product: windows | |
| detection: | |
| selection1: | |
| ParentImage|contains: | |
| - 'C:\Windows\Temp' | |
| - '\hpqhvind.exe' | |
| Image|startswith: 'C:\ProgramData\DRM' | |
| selection2: | |
| ParentImage|startswith: 'C:\ProgramData\DRM' | |
| Image|endswith: '\wmplayer.exe' | |
| selection3: | |
| ParentImage|endswith: '\Test.exe' | |
| Image|endswith: '\wmplayer.exe' | |
| selection4: | |
| Image: 'C:\ProgramData\DRM\CLR\CLR.exe' | |
| selection5: | |
| ParentImage|startswith: 'C:\ProgramData\DRM\Windows' | |
| Image|endswith: '\SearchFilterHost.exe' | |
| condition: 1 of them | |
| falsepositives: | |
| - Unlikely | |
| level: critical |