GALLIUM Artefacts - Builtin
Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
Sigma rule (View on GitHub)
1title: GALLIUM Artefacts - Builtin
2id: 3db10f25-2527-4b79-8d4b-471eb900ee29
3related:
4 - id: 440a56bf-7873-4439-940a-1c8a671073c2
5 type: derived
6status: test
7description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
8references:
9 - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
10 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
11author: Tim Burrell
12date: 2020-02-07
13modified: 2023-01-02
14tags:
15 - attack.credential-access
16 - attack.command-and-control
17 - attack.t1071
18 - detection.emerging-threats
19logsource:
20 product: windows
21 service: dns-server-analytic
22 definition: 'Requirements: Microsoft-Windows-DNS-Server/Analytical ({EB79061A-A566-4698-9119-3ED2807060E7}) Event Log must be collected in order to receive the events.'
23detection:
24 selection:
25 EventID: 257
26 QNAME:
27 - 'asyspy256.ddns.net'
28 - 'hotkillmail9sddcc.ddns.net'
29 - 'rosaf112.ddns.net'
30 - 'cvdfhjh1231.myftp.biz'
31 - 'sz2016rose.ddns.net'
32 - 'dffwescwer4325.myftp.biz'
33 - 'cvdfhjh1231.ddns.net'
34 condition: selection
35falsepositives:
36 - Unknown
37level: high
References
Related rules
- APT31 Judgement Panda Activity
- CVE-2021-31979 CVE-2021-33771 Exploits
- CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
- CVE-2023-23397 Exploitation Attempt
- DPRK Threat Actor - C2 Communication DNS Indicators