Vendor-native detections for T1170

1 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK

technique T1170 ×

◈

Detections

1 shown of 1

Chronicle (YARA-L) Original YARA-L T1064 ↗

mshta_downloads_malware_by_using_covid19_themed_document

SideWinder APT Group attacks by using COVID-19 document License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.

Show query

rule mshta_downloads_malware_by_using_covid19_themed_document {
 meta:
    author = "Emir Erdogan"
    description = "SideWinder APT Group attacks by using COVID-19 document  License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
    reference = "https://tdm.socprime.com/tdm/info/Y3qk94UKdcbO"
    version = "0.01"
    created = "2021-03-09"
    product = "windows"
    service = "sysmon"
    mitre = "T1129, T1170, T1064, T1129"

  events:
(re.regex($selection1.principal.process.file.full_path, `.*\\mshta\.exe`) and ($selection1.target.process.file.full_path = "C:\\Windows\\System32\\mshta.exe" or re.regex($selection1.target.process.file.full_path, `.*\\rekeywiz\.exe`)) and (re.regex($selection1.target.process.command_line, `.*966029e\.hta.*`) or re.regex($selection1.target.process.command_line, `.*rekeywiz\.exe.*`)))

  condition:
    $selection1
}

Showing 1-1 of 1

Prev 1 Next