From 0c729d1eeaa90aa1e7df5f768f5fbcaec742bf39 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 22 Aug 2018 17:02:03 +0200
Subject: [PATCH] Already used in different rule

---
 rules/apt/apt_oilrig.yml | 35 -----------------------------------
 1 file changed, 35 deletions(-)
 delete mode 100644 rules/apt/apt_oilrig.yml

diff --git a/rules/apt/apt_oilrig.yml b/rules/apt/apt_oilrig.yml
deleted file mode 100644
index 636024c8b..000000000
--- a/rules/apt/apt_oilrig.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-title: Oilrig Information Gathering on local system
-status: experimental
-description: Detects automated information gathering on local system seen in Oilrig activity
-references:
-    - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
-tags:
-    - attack.T1012
-    - attack.T1033
-author: Markus Neis
-date: 2018/08/10
-logsource:
-   product: windows
-   service: sysmon
-detection:
-    selection:
-      EventID: 1
-      CommandLine:
-         - '*whoami*'
-         - '*reg query*'
-         - '*hostname*'
-         - '*net user /domain'
-         - '*net group /domain'
-         - '*net group "domain admins" /domain'
-         - '*net group "Exchange Trusted Subsystem" /domain'
-         - '*sc query*'
-         - '*tasklist*'
-         - '*systeminfo'
-         - '*net accounts /domain' 
-         - '*net user net localgroup administrators' 
-         - '*netstat -an'
-    timeframe: 10s   
-    condition: selection | count() > 5
-falsepositives:
-    - Administrative Scripts or Activity 
-level: high