Vendor-native detections for T1107

1 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK

technique T1107 ×

◈

Detections

1 shown of 1

Chronicle (YARA-L) Original YARA-L T1003 ↗

a_variant_of_data_stealer_trojan_activity

This rule detects a stealer behaviour. Malware deletes itself License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.

Show query

rule a_variant_of_data_stealer_trojan_activity {
 meta:
    author = "Emir Erdogan"
    description = "This rule detects a stealer behaviour. Malware deletes itself  License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
    reference = "https://tdm.socprime.com/tdm/info/f9ZYj4C5CNBg"
    version = "0.01"
    created = "2021-03-09"
    product = "windows"
    service = "sysmon"
    mitre = "T1129, T1003, T1114, T1012, T1107"

  events:
((re.regex($selection.target.process.file.full_path, `.*/ralord\.exe`) or re.regex($selection.target.process.file.full_path, `.*/lodron\.exe`) or re.regex($selection.target.process.file.full_path, `.*/019\.exe`) or re.regex($selection.target.process.file.full_path, `.*/016\.exe`)) and (re.regex($selection.principal.process.file.full_path, `.*/setup_file\.exe`) or re.regex($selection.principal.process.file.full_path, `.*/setup_installer\.exe`)))

  condition:
    $selection
}

Showing 1-1 of 1

Prev 1 Next