rule: emissary panda activity

rules/apt/apt_emissarypanda_sep19.yml

@@ -0,0 +1,19 @@
+title: Emissary Panda Malware SLLauncher
+status: experimental
+description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
+references:
+    - https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965
+    - https://twitter.com/cyb3rops/status/1168863899531132929
+author: Florian Roth
+date: 2018/09/03
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage: '*\sllauncher.exe'
+        Image: '*\svchost.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical