security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml
T
frack113 4631d0c482 remove invalid tag
2022-01-19 18:23:30 +01:00

35 lines
968 B
YAML
Raw Blame History

title: Chafer Activity
id: c0580559-a6bd-4ef6-b9b7-83703d98b561
related:
- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
type: derived
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
status: experimental
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
tags:
- attack.persistence
- attack.g0049
- attack.t1053.005
- attack.s0111
- attack.t1543.003
- attack.defense_evasion
- attack.t1112
- attack.command_and_control
- attack.t1071.004
date: 2018/03/23
modified: 2021/09/19
author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
logsource:
product: windows
service: security
detection:
selection_service:
EventID: 4698
TaskName:
- 'SC Scheduled Scan'
- 'UpdatMachine'
condition: selection_service
falsepositives:
- Unknown
level: critical
Reference in New Issue View Git Blame Copy Permalink