title: Octopus Scanner Malware
author: NVISO
date: 2020/06/09
description: Detects Octopus Scanner Malware.
detection:
    SELECTION_1:
        EventID: 11
    SELECTION_2:
        TargetFilename: '*\AppData\Local\Microsoft\Cache134.dat'
    SELECTION_3:
        TargetFilename: '*\AppData\Local\Microsoft\ExplorerSync.db'
    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Unknown
id: 805c55d9-31e6-4846-9878-c34c75054fe9
level: high
logsource:
    category: file_event
    product: windows
references:
- https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
status: experimental
tags:
- attack.t1195
- attack.t1195.001
yml_filename: file_event_mal_octopus_scanner.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/malware