From d14784510fd9941ebf04a19fa3a85fbbd801c35a Mon Sep 17 00:00:00 2001
From: Bhabesh <bhabeshraj678@gmail.com>
Date: Fri, 4 Mar 2022 15:40:33 +0545
Subject: [PATCH] Added rule for Gamaredon UltraVNC Execution

---
 ...rocess_creation_apt_gamaredon_ultravnc.yml | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 rules/windows/process_creation/process_creation_apt_gamaredon_ultravnc.yml

diff --git a/rules/windows/process_creation/process_creation_apt_gamaredon_ultravnc.yml b/rules/windows/process_creation/process_creation_apt_gamaredon_ultravnc.yml
new file mode 100644
index 000000000..168a56166
--- /dev/null
+++ b/rules/windows/process_creation/process_creation_apt_gamaredon_ultravnc.yml
@@ -0,0 +1,26 @@
+title: Gamaredon UltraVNC Execution
+id: 871b9555-69ca-4993-99d3-35a59f9f3599
+status: experimental
+author: Bhabesh Raj
+date: 2022/03/04
+description: Gamaredon is known to use UltraVNC via command line for gaining remote access.
+references:
+    - https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf
+    - https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution
+tags:
+    - attack.lateral_movement
+    - attack.g0047
+    - attack.t1021.005
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - '-autoreconnect '
+            - '-connect '
+            - '-id:'
+    condition: selection 
+falsepositives:
+    - Unknown
+level: high
\ No newline at end of file