Elise Backdoor Activity
Detects Elise backdoor activity used by APT32
Sigma rule (View on GitHub)
1title: Elise Backdoor Activity
2id: e507feb7-5f73-4ef6-a970-91bb6f6d744f
3status: test
4description: Detects Elise backdoor activity used by APT32
5references:
6 - https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting
7 - https://web.archive.org/web/20200302083912/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf
8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
9date: 2018-01-31
10modified: 2023-03-09
11tags:
12 - attack.g0030
13 - attack.g0050
14 - attack.s0081
15 - attack.execution
16 - attack.t1059.003
17 - detection.emerging-threats
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_other_svchost:
23 Image|endswith: '\Microsoft\Network\svchost.exe'
24 selection_other_del:
25 CommandLine|contains|all:
26 - '\Windows\Caches\NavShExt.dll'
27 - '/c del'
28 selection_dll_path:
29 CommandLine|endswith:
30 - '\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll'
31 - '\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll'
32 selection_dll_function:
33 CommandLine|contains: ',Setting'
34 condition: 1 of selection_other_* or all of selection_dll_*
35falsepositives:
36 - Unlikely
37level: critical
References
-
Content crawled via the Wayback Machine Live Proxy mostly by the Save Page Now feature on web.archive.org. Liveweb proxy is a component of Internet Archive’s wayback machine project. The liveweb ...
Read More
Related rules
- Exploited CVE-2020-10189 Zoho ManageEngine
- Exploiting SetupComplete.cmd CVE-2019-1378
- Potential Baby Shark Malware Activity
- Rorschach Ransomware Execution Activity
- Sofacy Trojan Loader Activity