Turla Group Commands May 2020

calendar Aug 12, 2024 · attack.g0010 attack.execution attack.t1059.001 attack.t1053.005 attack.t1027 detection.emerging-threats  ·
Share on: linkedin copy

Detects commands used by Turla group as reported by ESET in May 2020

Sigma rule (View on GitHub)

 1title: Turla Group Commands May 2020
 2id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c
 3status: test
 4description: Detects commands used by Turla group as reported by ESET in May 2020
 5references:
 6    - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
 7author: Florian Roth (Nextron Systems)
 8date: 2020-05-26
 9modified: 2021-11-27
10tags:
11    - attack.g0010
12    - attack.execution
13    - attack.t1059.001
14    - attack.t1053.005
15    - attack.t1027
16    - detection.emerging-threats
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_cli_1:
22        CommandLine|contains:
23            - 'tracert -h 10 yahoo.com'
24            - '.WSqmCons))|iex;'
25            - 'Fr`omBa`se6`4Str`ing'
26    selection_cli_2:
27        CommandLine|contains|all:
28            - 'net use https://docs.live.net'
29            - '@aol.co.uk'
30    condition: 1 of selection_*
31falsepositives:
32    - Unknown
33level: critical

References

  • JPš¢¥Ãè0#tÃ?kSBǃ9‰ºÜL—4yDµ,TlÂéúëvE ¼òøs=VW±j¬Œ"·TYIŒDnî–{ªýÁW5>¼q÷"áÈNıÉÚ“õm�&{?Ž¼3¶×þ¯xKrŒ`FnÑA‚EžiH‡™¼µ¤º±ÛlÅ]6ÛÛgõ¿fÅó&Û˜Íe×ó<Ù¦K&sµ.¦•u¹)¤ëÔª žK^�ëåfqRXÍÆ$ï ¯ÄëK nŒÂŸ...


    Read More

Related rules

to-top