security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/process_creation/process_creation_apt_gamaredon_ultravnc.yml
T

27 lines
888 B
YAML
Raw Normal View History

docs: changed UltraVNC flags rule < Gamaredon
2022-03-09 08:17:14 +01:00
title: Suspicious UltraVNC Execution
Added rule for Gamaredon UltraVNC Execution
2022-03-04 15:40:33 +05:45
id: 871b9555-69ca-4993-99d3-35a59f9f3599
status: experimental
author: Bhabesh Raj
date: 2022/03/04
docs: changed UltraVNC flags rule < Gamaredon
2022-03-09 08:17:14 +01:00
modified: 2022/03/09
description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
Added rule for Gamaredon UltraVNC Execution
2022-03-04 15:40:33 +05:45
references:
- https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf
- https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution
tags:
- attack.lateral_movement
- attack.g0047
- attack.t1021.005
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '-autoreconnect '
- '-connect '
- '-id:'
condition: selection
falsepositives:
- Unknown
level: high
Reference in New Issue Copy Permalink