security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

split win_apt_turla_commands.yml

Browse Source
This commit is contained in:
frack113
2021-09-19 11:17:50 +02:00
parent b576ad115b
commit c43c12e557
3 changed files with 37 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/process_creation_apt_turla_commands_critical.yml
Executable
+32
View File
@@ -0,0 +1,32 @@
title: Turla Group Lateral Movement
id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
status: experimental
description: Detects automated lateral movement by Turla group
references:
- https://securelist.com/the-epic-turla-operation/65545/
tags:
- attack.g0010
- attack.execution
- attack.t1059
- attack.lateral_movement
- attack.t1077 # an old one
- attack.t1021.002
- attack.discovery
- attack.t1083
- attack.t1135
author: Markus Neis
date: 2017/11/07
modified: 2021/09/19
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- 'net use \\%DomainController%\C$ "P@ssw0rd" *'
- 'dir c:\\*.doc* /s'
- 'dir %TEMP%\\*.exe'
condition: selection
level: critical
falsepositives:
- Unknown
rules/windows/process_creation/win_apt_turla_commands.yml → rules/windows/process_creation/process_creation_apt_turla_commands_medium.yml
Executable → Regular
+4 -16
View File
@@ -1,5 +1,5 @@
action: global
title: Turla Group Lateral Movement
id: 75925535-ca97-4e0a-a850-00b5c00779dc
status: experimental
description: Detects automated lateral movement by Turla group
references:
@@ -16,24 +16,10 @@ tags:
- attack.t1135
author: Markus Neis
date: 2017/11/07
modified: 2020/08/27
modified: 2021/09/19
logsource:
category: process_creation
product: windows
falsepositives:
- Unknown
---
id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
detection:
selection:
CommandLine:
- 'net use \\%DomainController%\C$ "P@ssw0rd" *'
- 'dir c:\\*.doc* /s'
- 'dir %TEMP%\\*.exe'
condition: selection
level: critical
---
id: 75925535-ca97-4e0a-a850-00b5c00779dc
detection:
netCommand1:
CommandLine: 'net view /DOMAIN'
@@ -44,3 +30,5 @@ detection:
timeframe: 1m
condition: netCommand1 | near netCommand2 and netCommand3
level: medium
falsepositives:
- Unknown
rules/windows/process_creation/process_creation_win_exchange_transportagent.yml
+1 -1
View File
@@ -1,5 +1,5 @@
title: MSExchange Transport Agent Installation
id: 83809e84-4475-4b69-bc3e-4aad856861
id: 83809e84-4475-4b69-bc3e-4aad8568612f
status: experimental
description: Detects the Installation of a Exchange Transport Agent
references: