frack113
31 lines
1010 B
YAML
31 lines
1010 B
YAML
title: GMER - Rootkit Detector and Remover Execution
|
|
id: 9082ff1f-88ab-4678-a3cc-5bcff99fc74d
|
|
status: experimental
|
|
description: Detects the execution GMER tool based on image and hash fields.
|
|
references:
|
|
- http://www.gmer.net/
|
|
author: Nasreddine Bencherchali
|
|
date: 2022/10/05
|
|
modified: 2022/10/30
|
|
tags:
|
|
- attack.defense_evasion
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_img:
|
|
Image|endswith: '\gmer.exe'
|
|
selection_sysmon_hash:
|
|
Hashes|contains:
|
|
- 'MD5=E9DC058440D321AA17D0600B3CA0AB04'
|
|
- 'SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57'
|
|
- 'SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173'
|
|
selection_other:
|
|
- md5: 'e9dc058440d321aa17d0600b3ca0ab04'
|
|
- sha1: '539c228b6b332f5aa523e5ce358c16647d8bbe57'
|
|
- sha256: 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'
|
|
condition: 1 of selection_*
|
|
falsepositives:
|
|
- Unlikely
|
|
level: high
|