Turla Group Commands May 2020

calendar Oct 29, 2025 · attack.privilege-escalation attack.persistence attack.defense-evasion attack.g0010 attack.execution attack.t1059.001 attack.t1053.005 attack.t1027 detection.emerging-threats  ·
Share on: linkedin copy

Detects commands used by Turla group as reported by ESET in May 2020

Sigma rule (View on GitHub)

 1title: Turla Group Commands May 2020
 2id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c
 3status: test
 4description: Detects commands used by Turla group as reported by ESET in May 2020
 5references:
 6    - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
 7author: Florian Roth (Nextron Systems)
 8date: 2020-05-26
 9modified: 2025-10-19
10tags:
11    - attack.privilege-escalation
12    - attack.persistence
13    - attack.defense-evasion
14    - attack.g0010
15    - attack.execution
16    - attack.t1059.001
17    - attack.t1053.005
18    - attack.t1027
19    - detection.emerging-threats
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_cli_1:
25        CommandLine|contains:
26            - 'tracert -h 10 yahoo.com'
27            - '.WSqmCons))|iex;'
28            - 'Fr`omBa`se6`4Str`ing'
29    selection_cli_2:
30        CommandLine|re: 'net\s+use\s+https://docs.live.net'
31        CommandLine|contains: '@aol.co.uk'
32    condition: 1 of selection_*
33falsepositives:
34    - Unknown
35level: critical

References

  • JPš¢¥Ãè0#tÃ?kSBǃ9‰ºÜL—4yDµ,TlÂéúëvE ¼òøs=VW±j¬Œ"·TYIŒDnî–{ªýÁW5>¼q÷"áÈNıÉÚ“õm�&{?Ž¼3¶×þ¯xKrŒ`FnÑA‚EžiH‡™¼µ¤º±ÛlÅ]6ÛÛgõ¿fÅó&Û˜Íe×ó<Ù¦K&sµ.¦•u¹)¤ëÔª žK^�ëåfqRXÍÆ$ï ¯ÄëK nŒÂŸ...


    Read More

Related rules

to-top