Geofenced Ru

calendar May 3, 2021  ยท
Share on: linkedin copy

Detect region and exit if matched with harcoded country list Get-UICulture).Name -match "CN|RO|RU|UA|BY

Sigma rule (View on GitHub)

 1title: Geofenced Ru
 2status: experimental
 3description: Detect region and exit if matched with harcoded country list Get-UICulture).Name -match "CN|RO|RU|UA|BY 
 4author: Joe Security
 5date: 2019-11-06
 6id: 200019
 7threatname:
 8behaviorgroup: 8
 9classification: 8
10mitreattack: T1497
11
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        CommandLine:
18            - '*R2V0LVVJQ3VsdHVyZSkuTmFtZSAtbWF0Y2ggIkNOfFJPfFJVfFVBfEJZI*'
19    condition: selection
20level: critical
to-top