rules/windows/process_creation/proc_creation_win_apt_sofacy.yml

title: Sofacy Trojan Loader Activity
id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
author: Florian Roth, Jonhnathan Ribeiro, oscd.community
status: test
date: 2018/03/01
modified: 2021/12/08
description: Detects Trojan loader activity as used by APT28
references:
    - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
    - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100
    - https://twitter.com/ClearskySec/status/960924755355369472
tags:
    - attack.g0007
    - attack.execution
    - attack.t1059.003
    - attack.defense_evasion
    - car.2013-10-002
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains|all:
            - 'rundll32.exe'
            - '%APPDATA%\'
    selection2:
        - CommandLine|contains: '.dat",'
        - CommandLine|endswith:
            - '.dll",#1'
            - '.dll #1'
            - '.dll" #1'
    condition: selection1 and selection2
falsepositives:
    - Unknown
level: critical
Rule: Sofacy Trojan Loader 2018-03-01 09:27:46 +01:00			`title: Sofacy Trojan Loader Activity`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: ba778144-5e3d-40cf-8af9-e28fb1df1e20`
Update win_apt_sofacy.yml 2020-11-28 11:21:23 +01:00			`author: Florian Roth, Jonhnathan Ribeiro, oscd.community`
chore: increase rule status 2022-03-07 17:10:51 +01:00			`status: test`
fix: fixed missing date fields in other files 2020-01-30 15:32:39 +01:00			`date: 2018/03/01`
refactor: adjusted run by ordinal pattern for Sysmon 2021-12-08 10:01:54 +01:00			`modified: 2021/12/08`
chore: increase rule status 2022-03-07 17:10:51 +01:00			`description: Detects Trojan loader activity as used by APT28`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`references:`
Rule: Sofacy Trojan Loader 2018-03-01 09:27:46 +01:00			`- https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/`
			`- https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100`
			`- https://twitter.com/ClearskySec/status/960924755355369472`
Add tags to APT rules 2018-07-25 09:50:01 +02:00			`tags:`
			`- attack.g0007`
add tags to apt sofacy rule 2019-03-13 09:53:02 +00:00			`- attack.execution`
att&ck tags review: windows/process_creation part 1, network 2020-08-27 20:43:47 +03:00			`- attack.t1059.003`
add tags to apt sofacy rule 2019-03-13 09:53:02 +00:00			`- attack.defense_evasion`
First Pass 2019-06-13 23:15:38 -05:00			`- car.2013-10-002`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`- attack.t1218.011`
Rule: Sofacy Trojan Loader 2018-03-01 09:27:46 +01:00			`logsource:`
Updated to use the new process_creation logsource 2019-03-04 16:13:27 +03:00			`category: process_creation`
Rule: Sofacy Trojan Loader 2018-03-01 09:27:46 +01:00			`product: windows`
			`detection:`
Update win_apt_sofacy.yml 2020-11-28 11:21:23 +01:00			`selection1:`
Update win_apt_sofacy.yml 2020-11-26 23:21:53 -03:00			`CommandLine\|contains\|all:`
			`- 'rundll32.exe'`
Update win_apt_sofacy.yml 2020-11-28 11:21:23 +01:00			`- '%APPDATA%\'`
			`selection2:`
			`- CommandLine\|contains: '.dat",'`
chore: increase rule status 2022-03-07 17:10:51 +01:00			`- CommandLine\|endswith:`
refactor: adjusted run by ordinal pattern for Sysmon 2021-12-08 10:01:54 +01:00			`- '.dll",#1'`
			`- '.dll #1'`
			`- '.dll" #1'`
Update win_apt_sofacy.yml 2020-11-28 11:21:23 +01:00			`condition: selection1 and selection2`
Updated to use the new process_creation logsource 2019-03-04 16:13:27 +03:00			`falsepositives:`
			`- Unknown`
			`level: critical`