Elise Backdoor Activity

 1title: Elise Backdoor Activity
 2id: e507feb7-5f73-4ef6-a970-91bb6f6d744f
 3status: test
 4description: Detects Elise backdoor activity used by APT32
 5references:
 6    - https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting
 7    - https://web.archive.org/web/20200302083912/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf
 8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 9date: 2018/01/31
10modified: 2023/03/09
11tags:
12    - attack.g0030
13    - attack.g0050
14    - attack.s0081
15    - attack.execution
16    - attack.t1059.003
17    - detection.emerging_threats
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_other_svchost:
23        Image|endswith: '\Microsoft\Network\svchost.exe'
24    selection_other_del:
25        CommandLine|contains|all:
26            - '\Windows\Caches\NavShExt.dll'
27            - '/c del'
28    selection_dll_path:
29        CommandLine|endswith:
30            - '\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll'
31            - '\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll'
32    selection_dll_function:
33        CommandLine|contains: ',Setting'
34    condition: 1 of selection_other_* or all of selection_dll_*
35falsepositives:
36    - Unlikely
37level: critical

References

• https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting

  
  Read More

• Wayback Machine

  Content crawled via the Wayback Machine Live Proxy mostly by the Save Page Now feature on web.archive.org. Liveweb proxy is a component of Internet Archive’s wayback machine project. The liveweb ...

  
  Read More

Related rules

• Exploited CVE-2020-10189 Zoho ManageEngine
• Exploiting SetupComplete.cmd CVE-2019-1378
• ZxShell Malware
• Blue Mockingbird
• CVE-2021-1675 Print Spooler Exploitation