50 lines
1.7 KiB
YAML
50 lines
1.7 KiB
YAML
|
|
title: SOURGUM Actor Behaviours
|
|
author: MSTIC, FPT.EagleEye
|
|
date: 2021/06/15
|
|
description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
Image: '*windows\system32\Physmem.sys*'
|
|
SELECTION_3:
|
|
Image:
|
|
- '*Windows\system32\ime\SHARED\WimBootConfigurations.ini*'
|
|
- '*Windows\system32\ime\IMEJP\WimBootConfigurations.ini*'
|
|
- '*Windows\system32\ime\IMETC\WimBootConfigurations.ini*'
|
|
SELECTION_4:
|
|
EventID: 1
|
|
SELECTION_5:
|
|
Image:
|
|
- '*windows\system32\filepath2*'
|
|
- '*windows\system32\ime*'
|
|
SELECTION_6:
|
|
CommandLine:
|
|
- '*reg add*'
|
|
SELECTION_7:
|
|
CommandLine:
|
|
- '*HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32*'
|
|
- '*HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32*'
|
|
condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3) or (SELECTION_4 and SELECTION_5
|
|
and SELECTION_6 and SELECTION_7)))
|
|
falsepositives:
|
|
- Unknown
|
|
id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd
|
|
level: high
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
modified: 2021/07/30
|
|
references:
|
|
- https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection
|
|
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml
|
|
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
|
|
status: experimental
|
|
tags:
|
|
- attack.t1546
|
|
- attack.t1546.015
|
|
- attack.persistence
|
|
- attack.privilege_escalation
|
|
ruletype: SIGMA
|