-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
13 changed files
with
160 additions
and
100 deletions.
There are no files selected for viewing
4 changes: 2 additions & 2 deletions
4
...proc_creation_win_apt_hurricane_panda.yml → ...proc_creation_win_apt_hurricane_panda.yml
100755 → 100644
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 2 additions & 2 deletions
4
.../proc_creation_win_apt_lazarus_loader.yml → .../proc_creation_win_apt_lazarus_loader.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 2 additions & 2 deletions
4
...creation_win_apt_muddywater_dnstunnel.yml → ...creation_win_apt_muddywater_dnstunnel.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
37 changes: 37 additions & 0 deletions
37
rules/windows/process_creation/proc_creation_win_apt_apt31_judgement_panda.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
title: APT31 Judgement Panda Activity | ||
id: 03e2746e-2b31-42f1-ab7a-eb39365b2422 | ||
status: test | ||
description: Detects APT 31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report | ||
references: | ||
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html | ||
author: Florian Roth (Nextron Systems) | ||
date: 2019/02/21 | ||
modified: 2023/03/10 | ||
tags: | ||
- attack.lateral_movement | ||
- attack.credential_access | ||
- attack.g0128 | ||
- attack.t1003.001 | ||
- attack.t1560.001 | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
selection_ldifde: | ||
CommandLine|contains|all: | ||
- 'ldifde' | ||
- '-f -n' | ||
- 'eprod.ldf' | ||
selection_lateral_movement: | ||
CommandLine|contains|all: | ||
- 'copy \\\\' | ||
- 'c$' | ||
CommandLine|contains: | ||
- '\aaaa\procdump64.exe' | ||
- '\aaaa\netsess.exe' | ||
- '\aaaa\7za.exe'' | ||
- '\c$\aaaa\' | ||
condition: 1 of selection_* | ||
falsepositives: | ||
- Unlikely | ||
level: critical |
36 changes: 0 additions & 36 deletions
36
rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml
This file was deleted.
Oops, something went wrong.
39 changes: 0 additions & 39 deletions
39
rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
59 changes: 59 additions & 0 deletions
59
rules/windows/process_creation/proc_creation_win_apt_lazarus_group_activity.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
title: Lazarus Group Activity | ||
id: 24c4d154-05a4-4b99-b57d-9b977472443a | ||
related: | ||
- id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e | ||
type: obsoletes | ||
status: test | ||
description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity | ||
references: | ||
- https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ | ||
- https://www.hvs-consulting.de/lazarus-report/ | ||
author: Florian Roth (Nextron Systems), wagga | ||
date: 2020/12/23 | ||
modified: 2023/03/10 | ||
tags: | ||
- attack.g0032 | ||
- attack.execution | ||
- attack.t1059 | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
selection_generic: | ||
CommandLine|contains: | ||
- 'reg.exe save hklm\sam %temp%\~reg_sam.save' | ||
- '1q2w3e4r@#$@#$@#$' | ||
- ' -hp1q2w3e4 ' | ||
- '.dat data03 10000 -p ' | ||
selection_netstat: | ||
CommandLine|contains|all: | ||
- 'netstat -aon | find ' | ||
- 'ESTA' | ||
- ' > %temp%\~' | ||
# Network share discovery | ||
selection_network_discovery: | ||
CommandLine|contains|all: | ||
- '.255 10 C:\ProgramData\IBM\' | ||
- '.DAT' | ||
selection_persistence: | ||
CommandLine|contains|all: | ||
- ' /c ' | ||
- ' -p 0x' | ||
CommandLine|contains: | ||
- 'C:\ProgramData\' | ||
- 'C:\RECYCLER\' | ||
selection_rundll32: | ||
CommandLine|contains|all: | ||
- 'rundll32 ' | ||
- 'C:\ProgramData\' | ||
CommandLine|contains: | ||
- '.bin,' | ||
- '.tmp,' | ||
- '.dat,' | ||
- '.io,' | ||
- '.ini,' | ||
- '.db,' | ||
condition: 1 of selection_* | ||
falsepositives: | ||
- Unlikely | ||
level: critical |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
39 changes: 39 additions & 0 deletions
39
rules/windows/process_creation/proc_creation_win_apt_muddywater_activity.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
title: Potential MuddyWater APT Activity | ||
id: 36222790-0d43-4fe8-86e4-674b27809543 | ||
status: test | ||
description: Detecting potential Muddywater APT activity | ||
references: | ||
- https://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign | ||
author: Nasreddine Bencherchali (Nextron Systems) | ||
date: 2023/03/10 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.execution | ||
- attack.g0069 | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
selection_mshta: | ||
CommandLine|contains|all: | ||
- 'vbscript:Close(Execute("CreateObject(' | ||
- 'powershell' | ||
- '-w 1 -exec Bypass' | ||
- '\ProgramData\' | ||
selection_survey: | ||
CommandLine|contains|all: | ||
- 'Win32_OperatingSystem' | ||
- 'Win32_NetworkAdapterConfiguration' | ||
- 'root\SecurityCenter2' | ||
- '[System.Net.DNS]' | ||
selection_pwsh_backdoor: | ||
CommandLine|contains|all: | ||
- '[Convert]::ToBase64String' | ||
- '[System.Text.Encoding]::UTF8.GetString]' | ||
- 'GetResponse().GetResponseStream()' | ||
- '[System.Net.HttpWebRequest]::Create(' | ||
- '-bxor ' | ||
condition: 1 of selection_* | ||
falsepositives: | ||
- Unlikely | ||
level: high |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters