GALLIUM Artefacts - Builtin

calendar Oct 26, 2023 · attack.credential_access attack.command_and_control attack.t1071 detection.emerging_threats  ·
Share on: linkedin copy

Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.

Sigma rule (View on GitHub)

 1title: GALLIUM Artefacts - Builtin
 2id: 3db10f25-2527-4b79-8d4b-471eb900ee29
 3related:
 4    - id: 440a56bf-7873-4439-940a-1c8a671073c2
 5      type: derived
 6status: test
 7description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
 8references:
 9    - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
10    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
11author: Tim Burrell
12date: 2020/02/07
13modified: 2023/01/02
14tags:
15    - attack.credential_access
16    - attack.command_and_control
17    - attack.t1071
18    - detection.emerging_threats
19logsource:
20    product: windows
21    service: dns-server-analytic
22    definition: 'Requirements: Microsoft-Windows-DNS-Server/Analytical ({EB79061A-A566-4698-9119-3ED2807060E7}) Event Log must be collected in order to receive the events.'
23detection:
24    selection:
25        EventID: 257
26        QNAME:
27            - 'asyspy256.ddns.net'
28            - 'hotkillmail9sddcc.ddns.net'
29            - 'rosaf112.ddns.net'
30            - 'cvdfhjh1231.myftp.biz'
31            - 'sz2016rose.ddns.net'
32            - 'dffwescwer4325.myftp.biz'
33            - 'cvdfhjh1231.ddns.net'
34    condition: selection
35falsepositives:
36    - Unknown
37level: high

References

Related rules

to-top