rules/apt/apt_apt29_tor.yml

action: global
title: APT29 Google Update Service Install
id: c069f460-2b87-4010-8dcf-e45bab362624
description: This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    so the service names and executable locations used by APT29 are specific enough to be detected in log files.
references:
    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
tags:
    - attack.persistence
    - attack.g0016
    - attack.t1050
logsource:
    product: windows
    service: system
detection:
    service_install:
        EventID: 7045
        ServiceName: 'Google Update'
    timeframe: 5m
    condition: service_install | near process
falsepositives:
    - Unknown
level: high
---
logsource:
    category: process_creation
    product: windows
detection:
    process:
        Image: 
            - 'C:\Program Files(x86)\Google\GoogleService.exe'
            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 22:12:14 +01:00			`action: global`
Rule: APT29 Google Update service install 2017-03-31 19:31:13 +02:00			`title: APT29 Google Update Service Install`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: c069f460-2b87-4010-8dcf-e45bab362624`
			`description: This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe`
			`so the service names and executable locations used by APT29 are specific enough to be detected in log files.`
Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00			`references:`
			`- https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html`
Add tags to APT rules 2018-07-25 09:50:01 +02:00			`tags:`
fix tags on apt29 tor rule 2019-03-13 09:25:28 +00:00			`- attack.persistence`
Add tags to APT rules 2018-07-25 09:50:01 +02:00			`- attack.g0016`
fix tags on apt29 tor rule 2019-03-13 09:25:28 +00:00			`- attack.t1050`
Updated to use the new process_creation logsource 2019-03-04 16:13:27 +03:00			`logsource:`
			`product: windows`
Fixing failed CI build 2019-03-04 16:44:30 +03:00			`service: system`
Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 22:12:14 +01:00			`detection:`
Fixing failed CI build 2019-03-04 16:44:30 +03:00			`service_install:`
Updated to use the new process_creation logsource 2019-03-04 16:13:27 +03:00			`EventID: 7045`
			`ServiceName: 'Google Update'`
Fixing failed CI build - take 2 2019-03-04 16:51:39 +03:00			`timeframe: 5m`
			`condition: service_install \| near process`
			`falsepositives:`
			`- Unknown`
			`level: high`
Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 22:12:14 +01:00			`---`
Updated to use the new process_creation logsource 2019-03-04 16:13:27 +03:00			`logsource:`
			`category: process_creation`
			`product: windows`
Converted Windows 4688-only rules into 4688 and Sysmon/1 collections 2017-11-01 22:12:14 +01:00			`detection:`
			`process:`
			`Image:`
			`- 'C:\Program Files(x86)\Google\GoogleService.exe'`
			`- 'C:\Program Files(x86)\Google\GoogleUpdate.exe'`