Vendor-native detections for T1215

1 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK

technique T1215 ×

◈

Detections

1 shown of 1

Chronicle (YARA-L) Original YARA-L T1045 ↗

fake_zoom_installerexe_devil_shadow_botnet

This rule detects to devil shadow botnet activities with fake zoom installer exe. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.

Show query

rule fake_zoom_installerexe_devil_shadow_botnet {
 meta:
    author = "Emir Erdogan"
    description = "This rule detects to devil shadow botnet activities with fake zoom installer exe.  License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
    reference = "https://tdm.socprime.com/tdm/info/UPInonyraJtb"
    version = "0.01"
    created = "2021-03-09"
    category = "windows"
    product = "sysmon"
    mitre = "T1055, T1179, T1215, T1065, T1045"

  events:
(((re.regex($selection.principal.process.file.full_path, `.*/Zoominstaller\.exe `) or re.regex($selection.principal.process.file.full_path, `.*/wscript\.exe`)) and re.regex($selection.target.process.file.full_path, `.*/cmd\.exe`) and re.regex($selection.target.process.command_line, `.*pyclient\.cmd.*`)) or (re.regex($selection.principal.process.file.full_path, `.*/cmd\.exe`) and (re.regex($selection.target.process.file.full_path, `.*/tasklist\.exe`) or re.regex($selection.target.process.file.full_path, `.*/attrib\.exe`) or re.regex($selection.target.process.file.full_path, `.*/reg\.exe`)) and (re.regex($selection.target.process.command_line, `.*D3ViL ShaDow.*`) or re.regex($selection.target.process.command_line, `.*botnet.*`) or re.regex($selection.target.process.command_line, `.*boot-startup\.vbs.*`))))

  condition:
    $selection
}

Showing 1-1 of 1

Prev 1 Next