TAIDOOR RAT DLL Load

 1title: TAIDOOR RAT DLL Load
 2id: d1aa3382-abab-446f-96ea-4de52908210b
 3status: test
 4description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load
 5references:
 6    - https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
 7author: Florian Roth (Nextron Systems)
 8date: 2020-07-30
 9modified: 2021-11-27
10tags:
11    - attack.execution
12    - attack.t1055.001
13    - detection.emerging-threats
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection1:
19        CommandLine|contains:
20            - 'dll,MyStart'
21            - 'dll MyStart'
22    selection2a:
23        CommandLine|endswith: ' MyStart'
24    selection2b:
25        CommandLine|contains: 'rundll32.exe'
26    condition: selection1 or ( selection2a and selection2b )
27falsepositives:
28    - Unknown
29level: high

References

• MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR | CISA

  Notification This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contain...

  
  Read More

Related rules

• APT29 2018 Phishing Campaign CommandLine Indicators
• Adwind RAT / JRAT
• Blue Mockingbird
• CVE-2021-1675 Print Spooler Exploitation
• CVE-2021-1675 Print Spooler Exploitation IPC Access