Sysmon: Named Pipe detection for Turla malware by @markus_neis

rules/apt/apt_turla_namedpipes.yml

@@ -0,0 +1,27 @@
+title: Turla Group Named Pipes 
+status: experimental
+description: Detects a named pipe used by Turla group samples
+reference: Internal Research
+date: 2017/11/06
+author: Markus Neis
+logsource:
+    product: windows
+    service: sysmon
+    description: 'Note that you have to configure logging for PipeEvents in Symson config'
+detection:
+    selection:
+        EventID: 
+            - 17
+            - 18
+        PipeName: 
+            - '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
+            - '\userpipe' # ruag apt case
+            - '\iehelper' # ruag apt case
+            - '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
+            - '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
+            # - '\rpc'  # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483
+    condition: selection
+falsepositives:
+    - Unkown
+level: critical
+