Home/Ghostwriter / UNC1151/YARA rules
YARA

YARA rules for Ghostwriter / UNC1151

1 rules · scoped to actor · back to Ghostwriter / UNC1151
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.

YARA rules

1 of 1
direct UNC1151
APT_UNC1151_WindowsInstaller_Silent_InstallProduct_MacroMethod
author Proofpoint Threat Research license see source repo
view YARA rule 
rule APT_UNC1151_WindowsInstaller_Silent_InstallProduct_MacroMethod {
    meta:
        author = "Proofpoint Threat Research"
        date = "2021-07-28"
        hash1 = "1561ece482c78a2d587b66c8eaf211e806ff438e506fcef8f14ae367db82d9b3"
        hash2 = "a8fd0a5de66fa39056c0ddf2ec74ccd38b2ede147afa602aba00a3f0b55a88e0"
        reference = "Thttps://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails"
        id = "9ae80d54-33b9-55d7-957f-0738243e089f"
    strings:
        $doc_header = {D0 CF 11 E0 A1 B1 1A E1}
        $s1 = ".UILevel = 2"
        $s2 = "CreateObject(\"WindowsInstaller.Installer\")"
        $s3 = ".InstallProduct \"http"
    condition:
        $doc_header at 0 and all of ($s*)
}
Showing 1-1 of 1
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin