title: Chafer Activity
id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06
related:
    - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
      type: derived
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
status: test
references:
    - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
tags:
    - attack.persistence
    - attack.g0049
    - attack.t1053.005
    - attack.s0111
    - attack.t1543.003
    - attack.defense_evasion
    - attack.t1112
    - attack.command_and_control
    - attack.t1071.004
date: 2018/03/23
modified: 2021/09/19
author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
logsource:
    category: process_creation
    product: windows
detection:
    selection_process0:
        CommandLine|contains: '\Service.exe'
        CommandLine|endswith: 
            - 'i'
            - 'u'
    selection_process1:
        - CommandLine|endswith: '\microsoft\Taskbar\autoit3.exe'
        - CommandLine|startswith: 'C:\wsc.exe'
    selection_process2:
        Image|contains: '\Windows\Temp\DB\'
        Image|endswith: '.exe'
    selection_process3:
        CommandLine|contains|all: 
            - '\nslookup.exe'
            - '-q=TXT'
        ParentImage|contains: '\Autoit'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high