Pandemic Implant

rules/apt/apt_pandemic.yml

@@ -0,0 +1,25 @@
+title: Pandemic Registry Key
+status: experimental
+description: Detects Pandemic Windows Implant
+reference: 
+    - https://wikileaks.org/vault7/#Pandemic
+    - https://twitter.com/MalwareJake/status/870349480356454401
+author: Florian Roth
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 13
+        TargetObject: 
+            - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*'
+            - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*'
+            - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*'
+    selection2:
+        EventID: 1
+        Command: 'loaddll -a *'
+    condition: selection1 or selection2
+falsepositives:
+    - unknown
+level: critical
+