GALLIUM Artefacts - Builtin
Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
Sigma rule (View on GitHub)
1title: GALLIUM Artefacts - Builtin
2id: 3db10f25-2527-4b79-8d4b-471eb900ee29
3related:
4 - id: 440a56bf-7873-4439-940a-1c8a671073c2
5 type: derived
6status: test
7description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
8references:
9 - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
10 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
11author: Tim Burrell
12date: 2020/02/07
13modified: 2023/01/02
14tags:
15 - attack.credential_access
16 - attack.command_and_control
17 - attack.t1071
18 - detection.emerging_threats
19logsource:
20 product: windows
21 service: dns-server-analytic
22 definition: 'Requirements: Microsoft-Windows-DNS-Server/Analytical ({EB79061A-A566-4698-9119-3ED2807060E7}) Event Log must be collected in order to receive the events.'
23detection:
24 selection:
25 EventID: 257
26 QNAME:
27 - 'asyspy256.ddns.net'
28 - 'hotkillmail9sddcc.ddns.net'
29 - 'rosaf112.ddns.net'
30 - 'cvdfhjh1231.myftp.biz'
31 - 'sz2016rose.ddns.net'
32 - 'dffwescwer4325.myftp.biz'
33 - 'cvdfhjh1231.ddns.net'
34 condition: selection
35falsepositives:
36 - Unknown
37level: high
References
Related rules
- GALLIUM IOCs
- CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- Potential CVE-2023-36884 Exploitation - File Downloads
- Potential CVE-2023-36884 Exploitation - Share Access