Nasreddine Bencherchali
45 lines
1.7 KiB
YAML
45 lines
1.7 KiB
YAML
title: OceanLotus Registry Activity
|
|
id: 4ac5fc44-a601-4c06-955b-309df8c4e9d4
|
|
status: test
|
|
description: Detects registry keys created in OceanLotus (also known as APT32) attacks
|
|
references:
|
|
- https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
|
|
- https://github.com/eset/malware-ioc/tree/master/oceanlotus
|
|
author: megan201296, Jonhnathan Ribeiro
|
|
date: 2019-04-14
|
|
modified: 2023-09-28
|
|
tags:
|
|
- attack.persistence
|
|
- attack.defense-impairment
|
|
- attack.t1112
|
|
- detection.emerging-threats
|
|
logsource:
|
|
category: registry_event
|
|
product: windows
|
|
detection:
|
|
selection_clsid:
|
|
TargetObject|contains: '\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
|
|
selection_hkcu:
|
|
TargetObject|contains:
|
|
# HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\
|
|
- 'Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\'
|
|
# HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\
|
|
- 'Classes\AppX3bbba44c6cae4d9695755183472171e2\'
|
|
# HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\
|
|
- 'Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\'
|
|
- 'Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
|
|
selection_appx_1:
|
|
TargetObject|contains: '\SOFTWARE\App\'
|
|
selection_appx_2:
|
|
TargetObject|contains:
|
|
- 'AppXbf13d4ea2945444d8b13e2121cb6b663\'
|
|
- 'AppX70162486c7554f7f80f481985d67586d\'
|
|
- 'AppX37cc7fdccd644b4f85f4b22d5a3f105a\'
|
|
TargetObject|endswith:
|
|
- 'Application'
|
|
- 'DefaultIcon'
|
|
condition: selection_clsid or selection_hkcu or all of selection_appx_*
|
|
falsepositives:
|
|
- Unknown
|
|
level: critical
|