From c81d3bf56c9e730fc0eb5bfe84e87dd3caec0fb2 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Tue, 3 Sep 2019 15:31:25 +0200
Subject: [PATCH] rule: emissary panda activity

---
 rules/apt/apt_emissarypanda_sep19.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 rules/apt/apt_emissarypanda_sep19.yml

diff --git a/rules/apt/apt_emissarypanda_sep19.yml b/rules/apt/apt_emissarypanda_sep19.yml
new file mode 100644
index 000000000..3422f68b7
--- /dev/null
+++ b/rules/apt/apt_emissarypanda_sep19.yml
@@ -0,0 +1,19 @@
+title: Emissary Panda Malware SLLauncher
+status: experimental
+description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
+references:
+    - https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965
+    - https://twitter.com/cyb3rops/status/1168863899531132929
+author: Florian Roth
+date: 2018/09/03
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage: '*\sllauncher.exe'
+        Image: '*\svchost.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical