title: Chafer Activity
author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018/03/23
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
    in March 2018
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_10:
        CommandLine: '*-q=TXT*'
    SELECTION_11:
        ParentImage: '*\Autoit*'
    SELECTION_2:
        CommandLine: '*\Service.exe*'
    SELECTION_3:
        CommandLine: '*i'
    SELECTION_4:
        CommandLine: '*u'
    SELECTION_5:
        CommandLine: '*\microsoft\Taskbar\autoit3.exe'
    SELECTION_6:
        CommandLine: C:\wsc.exe*
    SELECTION_7:
        Image: '*\Windows\Temp\DB\\*'
    SELECTION_8:
        Image: '*.exe'
    SELECTION_9:
        CommandLine: '*\nslookup.exe*'
    condition: (SELECTION_1 and ((SELECTION_2 and (SELECTION_3 or SELECTION_4)) or
        (SELECTION_5 or SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9
        and SELECTION_10 and SELECTION_11)))
falsepositives:
- Unknown
id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06
level: critical
logsource:
    category: process_creation
    product: windows
modified: 2021/09/19
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
related:
-   id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
    type: derived
tags:
- attack.persistence
- attack.g0049
- attack.t1053
- attack.t1053.005
- attack.s0111
- attack.t1050
- attack.t1543.003
- attack.defense_evasion
- attack.t1112
- attack.command_and_control
- attack.t1071
- attack.t1071.004
yml_filename: process_creationn_apt_chafer_mar18.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation