Tool
Vendor-native detections for T1192
4 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
4 shown of 4a_variant_of_lokibot_trojan
this rule detects one of lokibot trojan malware. Phishing site downloads trojan via scam e-mail License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule a_variant_of_lokibot_trojan {
meta:
author = "Emir Erdogan"
description = "this rule detects one of lokibot trojan malware. Phishing site downloads trojan via scam e-mail License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/Vd9kzWELL9Ef"
version = "0.01"
created = "2021-03-09"
product = "windows"
service = "sysmon"
mitre = "T1081, T1566, T1192"
events:
(($selection.target.process.file.full_path = "C:\\Windows\\system32\\dllhost.exe" and re.regex($selection.principal.process.file.full_path, `.*\\v\.exe`)) or re.regex($selection.principal.hostname, `.*shehig\.com.*`))
condition:
$selection
}microsoft_teams_phishing_email
Detects Phishing Email License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule microsoft_teams_phishing_email {
meta:
author = "Osman Demir"
description = "Detects Phishing Email License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/0KZv4DodlqT8"
version = "0.01"
created = "2021-03-09"
category = "proxy"
mitre = "T1192, initial_access"
events:
($selection.security_result.action = "allowed" and ($selection.target.url = "https://us19.campaign-archive.com/?u=0dce22c9638fc90b5c17ea20a&id=6652f42d20" or $selection.target.url = "https://imunodar.com/wp-content/plugins/wp-picaso/Teams"))
condition:
$selection
}phishing_campaign_using_zoom_invites
A new phishing campaign started that acts as a Zoom video conference invitation to obtain Microsoft credentials from users. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule phishing_campaign_using_zoom_invites {
meta:
author = "Osman Demir"
description = "A new phishing campaign started that acts as a Zoom video conference invitation to obtain Microsoft credentials from users. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/3VenDiAFwIuY"
version = "0.01"
created = "2021-03-09"
category = "proxy"
mitre = "T1192, initial_access"
events:
($selection.security_result.action = "allowed" and ($selection.target.url = "https://r.smore.com/c?u=pastell.in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44?e5=REDACTED[@]company.com" or $selection.target.url = "http://www.pastell.in/ca07-b36n5-65m-c53b-o26v-62h-e79-t56e-c44" or $selection.target.url = "https://logonmicrosftonlinezoomconference.azureedge.net"))
condition:
$selection
}zoom_phishing_email_fake_zoom_login_page__credential_stealer
Detects Phishing Email License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query
rule zoom_phishing_email_fake_zoom_login_page__credential_stealer {
meta:
author = "Osman Demir"
description = "Detects Phishing Email License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
reference = "https://tdm.socprime.com/tdm/info/0wJzSlJ1QqOI"
version = "0.01"
created = "2021-03-09"
category = "proxy"
mitre = "T1192, initial_access"
events:
($selection.security_result.action = "allowed" and $selection.target.url = "http://zoom-emergency.myftp.org")
condition:
$selection
}Showing 1-4 of 4