63 lines
1.7 KiB
YAML
63 lines
1.7 KiB
YAML
|
|
title: Greenbug Campaign Indicators
|
|
author: Florian Roth
|
|
date: 2020/05/20
|
|
description: Detects tools and process executions as observed in a Greenbug campaign
|
|
in May 2020
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
CommandLine: '*bitsadmin*'
|
|
SELECTION_3:
|
|
CommandLine: '*/transfer*'
|
|
SELECTION_4:
|
|
CommandLine: '*CSIDL_APPDATA*'
|
|
SELECTION_5:
|
|
CommandLine:
|
|
- '*CSIDL_SYSTEM_DRIVE*'
|
|
SELECTION_6:
|
|
CommandLine:
|
|
- '*\msf.ps1*'
|
|
- '*8989 -e cmd.exe*'
|
|
- '*system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill*'
|
|
- '*-nop -w hidden -c $k=new-object*'
|
|
- '*[Net.CredentialCache]::DefaultCredentials;IEX *'
|
|
- '* -nop -w hidden -c $m=new-object net.webclient;$m*'
|
|
- '*-noninteractive -executionpolicy bypass whoami*'
|
|
- '*-noninteractive -executionpolicy bypass netstat -a*'
|
|
- '*L3NlcnZlcj1*'
|
|
SELECTION_7:
|
|
Image:
|
|
- '*\adobe\Adobe.exe'
|
|
- '*\oracle\local.exe'
|
|
- '*\revshell.exe'
|
|
- '*infopagesbackup\ncat.exe'
|
|
- '*CSIDL_SYSTEM\cmd.exe'
|
|
- '*\programdata\oracle\java.exe'
|
|
- '*CSIDL_COMMON_APPDATA\comms\comms.exe'
|
|
- '*\Programdata\VMware\Vmware.exe'
|
|
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or SELECTION_5
|
|
or SELECTION_6 or SELECTION_7))
|
|
falsepositives:
|
|
- Unknown
|
|
id: 3711eee4-a808-4849-8a14-faf733da3612
|
|
level: critical
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
modified: 2021/09/21
|
|
references:
|
|
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
|
|
status: experimental
|
|
tags:
|
|
- attack.g0049
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.t1086
|
|
- attack.command_and_control
|
|
- attack.t1105
|
|
- attack.defense_evasion
|
|
- attack.t1036
|
|
- attack.t1036.005
|