hayabusa/rules/Sigma/win_apt_chafer_mar18_system.yml

title: Chafer Activity
author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018/03/23
description: Detects Chafer activity attributed to OilRig as reported in Nyotron report
    in March 2018
detection:
    SELECTION_1:
        EventID: 7045
    SELECTION_2:
        ServiceName: SC Scheduled Scan
    SELECTION_3:
        ServiceName: UpdatMachine
    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Unknown
id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
level: critical
logsource:
    product: windows
    service: system
modified: 2021/09/19
references:
- https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
tags:
- attack.persistence
- attack.g0049
- attack.t1053
- attack.t1053.005
- attack.s0111
- attack.t1050
- attack.t1543.003
- attack.defense_evasion
- attack.t1112
- attack.command_and_control
- attack.t1071
- attack.t1071.004
yml_filename: win_apt_chafer_mar18_system.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin