security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
64caa8aedc7500d5c94de356a0d2da233a6c1070
blue-team-tools/rules/apt/apt_apt29_tor.yml
T

20 lines
832 B
YAML
Raw Normal View History

Rule: APT29 Google Update service install
2017-03-31 19:31:13 +02:00
title: APT29 Google Update Service Install
APT 29 - tor / google update service
2017-04-01 10:30:36 +02:00
description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.'
Rule: APT29 Google Update service install
2017-03-31 19:31:13 +02:00
reference: https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
logsource:
product: windows
detection:
APT 29 - tor / google update service
2017-04-01 10:30:36 +02:00
selection1:
Rule: APT29 Google Update service install
2017-03-31 19:31:13 +02:00
EventID: 7045
ServiceName: 'Google Update'
APT 29 - tor / google update service
2017-04-01 10:30:36 +02:00
selection2:
EventID: 4688
NewProcessName:
- 'C:\Program Files(x86)\Google\GoogleService.exe'
- 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
condition: selection1 or selection2
Rule: APT29 Google Update service install
2017-03-31 19:31:13 +02:00
falsepositives:
- Unknown
level: high
APT 29 - tor / google update service
2017-04-01 10:30:36 +02:00
Reference in New Issue Copy Permalink