/
APT_Bitter_chm_files.yar
47 lines (35 loc) · 1.28 KB
/
APT_Bitter_chm_files.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
import "vt"
rule APT_Bitter_chm_files {
meta:
name = "APT_Bitter_chm_files"
author = "Joseliyo Sanchez - @Joseliyo_Jstnk"
description = "Find chm files related to APT Bitter used during their operations"
target_entity = "file"
//vt_intelligence_query = behavior_processes:"%Comspec%" behavior_processes:"schtasks.exe" tag:chm
condition:
(
for any vt_behaviour_processes_created in vt.behaviour.processes_created: (
vt_behaviour_processes_created contains "schtasks"
)
or
for any vt_behaviour_command_executions in vt.behaviour.command_executions: (
vt_behaviour_command_executions contains "schtasks"
)
)
and
(
for any vt_behaviour_processes_created in vt.behaviour.processes_created: (
vt_behaviour_processes_created contains "coMSPec" or vt_behaviour_processes_created contains "comspec"
)
or
for any vt_behaviour_command_executions in vt.behaviour.command_executions: (
vt_behaviour_command_executions contains "coMSPec" or vt_behaviour_command_executions contains "comspec"
)
)
and
for any vt_metadata_tags in vt.metadata.tags: (
vt_metadata_tags == "chm"
)
and
vt.metadata.new_file
}