From 536e328540ecafad9b977d36b2adc19beea11f39 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Thu, 1 Jun 2017 22:48:59 +0200
Subject: [PATCH] Pandemic Implant

---
 rules/apt/apt_pandemic.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 rules/apt/apt_pandemic.yml

diff --git a/rules/apt/apt_pandemic.yml b/rules/apt/apt_pandemic.yml
new file mode 100644
index 000000000..670075e56
--- /dev/null
+++ b/rules/apt/apt_pandemic.yml
@@ -0,0 +1,25 @@
+title: Pandemic Registry Key
+status: experimental
+description: Detects Pandemic Windows Implant
+reference: 
+    - https://wikileaks.org/vault7/#Pandemic
+    - https://twitter.com/MalwareJake/status/870349480356454401
+author: Florian Roth
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 13
+        TargetObject: 
+            - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*'
+            - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*'
+            - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*'
+    selection2:
+        EventID: 1
+        Command: 'loaddll -a *'
+    condition: selection1 or selection2
+falsepositives:
+    - unknown
+level: critical
+