Greenbug Espionage Group Indicators

 1title: Greenbug Espionage Group Indicators
 2id: 3711eee4-a808-4849-8a14-faf733da3612
 3status: test
 4description: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
 5references:
 6    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
 7author: Florian Roth (Nextron Systems)
 8date: 2020/05/20
 9modified: 2023/03/09
10tags:
11    - attack.g0049
12    - attack.execution
13    - attack.t1059.001
14    - attack.command_and_control
15    - attack.t1105
16    - attack.defense_evasion
17    - attack.t1036.005
18    - detection.emerging_threats
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        Image|endswith:
25            - ':\ProgramData\adobe\Adobe.exe'
26            - ':\ProgramData\oracle\local.exe'
27            - '\revshell.exe'
28            - '\infopagesbackup\ncat.exe'
29            - ':\ProgramData\comms\comms.exe'
30    selection_msf:
31        CommandLine|contains|all:
32            - '-ExecutionPolicy Bypass -File'
33            - '\msf.ps1'
34    selection_ncat:
35        CommandLine|contains|all:
36            - 'infopagesbackup'
37            - '\ncat'
38            - '-e cmd.exe'
39    selection_powershell:
40        CommandLine|contains:
41            - 'system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill'
42            - '-nop -w hidden -c $k=new-object'
43            - '[Net.CredentialCache]::DefaultCredentials;IEX '
44            - ' -nop -w hidden -c $m=new-object net.webclient;$m'
45            - '-noninteractive -executionpolicy bypass whoami'
46            - '-noninteractive -executionpolicy bypass netstat -a'
47    selection_other:
48        CommandLine|contains: 'L3NlcnZlcj1'  # base64 encoded '/server='
49    condition: 1 of selection_*
50falsepositives:
51    - Unlikely
52level: critical