title: SOURGUM Actor Behaviours
author: MSTIC, FPT.EagleEye
date: 2021/06/15
description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*windows\system32\Physmem.sys*'
  SELECTION_3:
    Image:
    - '*Windows\system32\ime\SHARED\WimBootConfigurations.ini*'
    - '*Windows\system32\ime\IMEJP\WimBootConfigurations.ini*'
    - '*Windows\system32\ime\IMETC\WimBootConfigurations.ini*'
  SELECTION_4:
    EventID: 1
  SELECTION_5:
    Image:
    - '*windows\system32\filepath2*'
    - '*windows\system32\ime*'
  SELECTION_6:
    CommandLine:
    - '*reg add*'
  SELECTION_7:
    CommandLine:
    - '*HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32*'
    - '*HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32*'
  condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 and SELECTION_5
    and SELECTION_6 and SELECTION_7)))
falsepositives:
- Unknown
id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd
level: high
logsource:
  category: process_creation
  product: windows
modified: 2021/07/30
references:
- https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
status: experimental
tags:
- attack.t1546
- attack.t1546.015
- attack.persistence
- attack.privilege_escalation
ruletype: SIGMA