diff --git a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml new file mode 100644 index 000000000..c2b7bf877 --- /dev/null +++ b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml @@ -0,0 +1,33 @@ +title: Turla Group Commands May 2020 +id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c +status: experimental +description: Detects commands used by Turla group as reported by ESET in May 2020 +references: + - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf +tags: + - attack.g0010 + - attack.execution + - attack.t1086 + - attack.t1053 + - attack.t1027 + - attack.discovery + - attack.t1016 +author: Florian Roth +date: 2020/05/26 +logsource: + category: process_creation + product: windows +falsepositives: + - Unknown +detection: + selection1: + CommandLine|contains: + - 'tracert -h 10 yahoo.com' + - '.WSqmCons))|iex;' + - 'Fr`omBa`se6`4Str`ing' + selection2: + CommandLine|contains|all: + - 'net use https://docs.live.net' + - '@aol.co.uk' + condition: 1 of them +level: critical diff --git a/rules/windows/process_creation/win_susp_renamed_debugview.yml b/rules/windows/process_creation/win_susp_renamed_debugview.yml new file mode 100644 index 000000000..dcab5bd63 --- /dev/null +++ b/rules/windows/process_creation/win_susp_renamed_debugview.yml @@ -0,0 +1,23 @@ +title: Renamed SysInternals Debug View +id: cd764533-2e07-40d6-a718-cfeec7f2da7f +status: experimental +description: Detects suspicious renamed SysInternals DebugView execution +references: + - https://www.epicturla.com/blog/sysinturla +author: Florian Roth +date: 2020/05/28 +logsource: + category: process_creation + product: windows +detection: + selection: + Product: + - 'Sysinternals DebugView' + - 'Sysinternals Debugview' + filter: + OriginalFilename: 'Dbgview.exe' + Image|endswith: '\Dbgview.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high