Lazarus Group Activity

 1title: Lazarus Group Activity
 2id: 24c4d154-05a4-4b99-b57d-9b977472443a
 3related:
 4    - id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e
 5      type: obsoletes
 6status: test
 7description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity
 8references:
 9    - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
10    - https://www.hvs-consulting.de/lazarus-report/
11author: Florian Roth (Nextron Systems), wagga
12date: 2020/12/23
13modified: 2023/03/10
14tags:
15    - attack.g0032
16    - attack.execution
17    - attack.t1059
18    - detection.emerging_threats
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_generic:
24        CommandLine|contains:
25            - 'reg.exe save hklm\sam %temp%\~reg_sam.save'
26            - '1q2w3e4r@#$@#$@#$'
27            - ' -hp1q2w3e4 '
28            - '.dat data03 10000 -p '
29    selection_netstat:
30        CommandLine|contains|all:
31            - 'netstat -aon | find '
32            - 'ESTA'
33            - ' > %temp%\~'
34    # Network share discovery
35    selection_network_discovery:
36        CommandLine|contains|all:
37            - '.255 10 C:\ProgramData\IBM\'
38            - '.DAT'
39    selection_persistence:
40        CommandLine|contains|all:
41            - ' /c '
42            - ' -p 0x'
43        CommandLine|contains:
44            - 'C:\ProgramData\'
45            - 'C:\RECYCLER\'
46    selection_rundll32:
47        CommandLine|contains|all:
48            - 'rundll32 '
49            - 'C:\ProgramData\'
50        CommandLine|contains:
51            - '.bin,'
52            - '.tmp,'
53            - '.dat,'
54            - '.io,'
55            - '.ini,'
56            - '.db,'
57    condition: 1 of selection_*
58falsepositives:
59    - Unlikely
60level: critical