forked from SigmaHQ/sigma
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwin_apt_apt29_tor.yml
41 lines (41 loc) · 1.21 KB
/
win_apt_apt29_tor.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
action: global
title: APT29 Google Update Service Install
description: This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
so the service names and executable locations used by APT29 are specific enough to be detected in log files.
references:
- https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
tags:
- attack.persistence
- attack.g0016
- attack.t1050 # an old one
- attack.t1543.003
date: 2017/11/01
modified: 2020/08/23
author: Thomas Patzke
status: unsupported
logsource:
product: windows
service: system
detection:
service_install:
EventID: 7045
ServiceName: 'Google Update'
timeframe: 5m
condition: service_install | near process
falsepositives:
- Unknown
level: high
---
id: c069f460-2b87-4010-8dcf-e45bab362624
logsource:
category: process_creation
product: windows
detection:
process:
Image:
- 'C:\Program Files(x86)\Google\GoogleService.exe'
- 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
fields:
- ComputerName
- User
- CommandLine