rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml

title: ZxShell Malware
id: f0b70adb-0075-43b0-9745-e82a1c608fcc
status: test
description: Detects a ZxShell start by the called and well-known function name
references:
    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
    - https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf
author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
date: 2017-07-20
modified: 2021-11-27
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.003
    - attack.t1218.011
    - attack.s0412
    - attack.g0001
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains:
            - 'zxFunction'
            - 'RemoteDiskXXXXX'
    condition: selection
falsepositives:
    - Unlikely
level: critical
ZxShell 2017-07-20 12:36:24 -06:00			`title: ZxShell Malware`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: f0b70adb-0075-43b0-9745-e82a1c608fcc`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`description: Detects a ZxShell start by the called and well-known function name`
Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00			`references:`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`- https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100`
chore: move rules to new folders (#4205 ) 2023-05-02 23:17:57 +02:00			`- https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf`
chore: add nextron authors tag 2023-02-01 11:14:59 +01:00			`author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2017-07-20`
			`modified: 2021-11-27`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`tags:`
			`- attack.execution`
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19 2026-04-29 01:20:23 +02:00			`- attack.stealth`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`- attack.t1059.003`
			`- attack.t1218.011`
			`- attack.s0412`
			`- attack.g0001`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- detection.emerging-threats`
ZxShell 2017-07-20 12:36:24 -06:00			`logsource:`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`category: process_creation`
			`product: windows`
ZxShell 2017-07-20 12:36:24 -06:00			`detection:`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`selection:`
			`Image\|endswith: '\rundll32.exe'`
			`CommandLine\|contains:`
			`- 'zxFunction'`
			`- 'RemoteDiskXXXXX'`
			`condition: selection`
ZxShell 2017-07-20 12:36:24 -06:00			`falsepositives:`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`- Unlikely`
ZxShell 2017-07-20 12:36:24 -06:00			`level: critical`