From ea840632f3acc81f258d7adfb178cf2d2e6a90ae Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Mon, 6 Nov 2017 14:22:09 +0100
Subject: [PATCH] Sysmon: Named Pipe detection for Turla malware by
 @markus_neis

---
 rules/apt/apt_turla_namedpipes.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/apt/apt_turla_namedpipes.yml

diff --git a/rules/apt/apt_turla_namedpipes.yml b/rules/apt/apt_turla_namedpipes.yml
new file mode 100644
index 000000000..a82a09648
--- /dev/null
+++ b/rules/apt/apt_turla_namedpipes.yml
@@ -0,0 +1,27 @@
+title: Turla Group Named Pipes 
+status: experimental
+description: Detects a named pipe used by Turla group samples
+reference: Internal Research
+date: 2017/11/06
+author: Markus Neis
+logsource:
+    product: windows
+    service: sysmon
+    description: 'Note that you have to configure logging for PipeEvents in Symson config'
+detection:
+    selection:
+        EventID: 
+            - 17
+            - 18
+        PipeName: 
+            - '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
+            - '\userpipe' # ruag apt case
+            - '\iehelper' # ruag apt case
+            - '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
+            - '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
+            # - '\rpc'  # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483
+    condition: selection
+falsepositives:
+    - Unkown
+level: critical
+