title: Chafer Activity
author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018/03/23
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
    in March 2018
detection:
    SELECTION_1:
        EventID: 4698
    SELECTION_2:
        TaskName: SC Scheduled Scan
    SELECTION_3:
        TaskName: UpdatMachine
    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Unknown
id: c0580559-a6bd-4ef6-b9b7-83703d98b561
level: critical
logsource:
    product: windows
    service: security
modified: 2021/09/19
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
related:
-   id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
    type: derived
tags:
- attack.persistence
- attack.g0049
- attack.t1053
- attack.t1053.005
- attack.s0111
- attack.t1050
- attack.t1543.003
- attack.defense_evasion
- attack.t1112
- attack.command_and_control
- attack.t1071
- attack.t1071.004
yml_filename: win_apt_chafer_mar18_security.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin