Tool
Vendor-native detections for T1081
3 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
3 shown of 3a_variant_of_lokibot_trojan
this rule detects one of lokibot trojan malware. Phishing site downloads trojan via scam e-mail License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule a_variant_of_lokibot_trojan {
meta:
author = "Emir Erdogan"
description = "this rule detects one of lokibot trojan malware. Phishing site downloads trojan via scam e-mail License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/Vd9kzWELL9Ef"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1081, T1566, T1192"
events:
(($selection.target.process.file.full_path = "C:\\Windows\\system32\\dllhost.exe" and re.regex($selection.principal.process.file.full_path, `.*\\v\.exe`)) or re.regex($selection.principal.hostname, `.*shehig\.com.*`))
condition:
$selection
}agenttesla_rat_detection
AgentTesla RAT Detection License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule agenttesla_rat_detection {
meta:
author = "Emir Erdogan"
description = "AgentTesla RAT Detection License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/bwpRaR1KCq8h"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1053, T1081"
events:
($selection.principal.process.file.full_path = "8cab6413fdc97e9cc90607b3a49175a7.exe" and (re.regex($selection.target.process.file.full_path, `.*RegSvcs\.exe`) or $selection.target.process.file.full_path = "C:\\Windows\\System32\\schtasks.exe") and re.regex($selection.target.process.command_line, `.*/Create /TN \"Updates\\ZwqpnECNvoWf\" /XML \"C:\\Users\\admin\\AppData\\Local\\Temp\\tmp6CEB\.tmp\"`))
condition:
$selection
}powershell_obfuscation_by_agenttesla
AgentTesla downloads malware by using obfuscated powershell via ftp server on French Data Center License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule powershell_obfuscation_by_agenttesla {
meta:
author = "Emir Erdogan"
description = "AgentTesla downloads malware by using obfuscated powershell via ftp server on French Data Center License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/lZkiLjSHfmwQ"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1064, T1060, T1081, T1130"
events:
((re.regex($selection1.target.process.file.full_path, `.*\\powershell`) and (re.regex($selection1.target.process.command_line, `Powershell $VN=\( '104{100e121'\.SpLiT\('!X_AeZuG{%'\) |fOreACh-oBjeCt{[CHar]\($_-BXOR 0x21 \) }\) -joIN '';sal MUM $VN;$BCmiLrM=@\(.*`) or re.regex($selection1.target.process.command_line, `Powershell '\(&'\+'\(G'\+'C'\+'###'\.replace\('###','M'\)\+' .*W-'\+'O.*\)'\+ 'Ne'\+'t\.'\+'W'\+'eb'\+'C'\+'li'\+'ent\)'\+'\.D'\+'ow'\+'nl'\+'oad'\+'F'\+'il'\+'e\(''.*File\.vbs.*`))) or (re.regex($selection1.target.process.file.full_path, `.*\\RegAsm\.exe`) and re.regex($selection1.principal.process.file.full_path, `.*\\InstallUtil\.exe`)))
condition:
$selection1
}Showing 1-3 of 3