NanoCore

May 3, 2021 ·

detect run.dat of NanoCore

Sigma rule (View on GitHub)

 1title: NanoCore
 2status: experimental
 3description: detect run.dat of NanoCore
 4author: Joe Security
 5date: 2019-11-08
 6id: 200023
 7threatname: NanoCore
 8behaviorgroup: 14,20,21,22
 9classification: 4
10logsource:
11    service: sysmon
12    product: windows
13detection:
14    selection:
15        EventID: 11
16        TargetFilename: '*\AppData\Roaming\\*-*-*-*-*\run.dat*'
17    condition: selection
18level: critical