Equation Group DLL_U Export Function Load
Detects a specific export function name used by one of EquationGroup tools
Sigma rule (View on GitHub)
1title: Equation Group DLL_U Export Function Load
2id: d465d1d8-27a2-4cca-9621-a800f37cf72e
3status: stable
4description: Detects a specific export function name used by one of EquationGroup tools
5references:
6 - https://github.com/00derp/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
7 - https://twitter.com/cyb3rops/status/972186477512839170
8author: Florian Roth (Nextron Systems)
9date: 2019-03-04
10modified: 2023-03-09
11tags:
12 - attack.g0020
13 - attack.defense-evasion
14 - attack.t1218.011
15 - detection.emerging-threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 - CommandLine|contains: '-export dll_u'
22 - CommandLine|endswith:
23 - ',dll_u'
24 - ' dll_u'
25 condition: selection
26falsepositives:
27 - Unlikely
28level: critical
References
-
GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 420 million projects.
Read More
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators
- EvilNum APT Golden Chickens Deployment Via OCX Files
- Fireball Archer Install
- IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32