Small Sieve Malware File Indicator Creation
Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
Sigma rule (View on GitHub)
1title: Small Sieve Malware File Indicator Creation
2id: 39466c42-c189-476a-989f-8cdb135c163a
3status: test
4description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
5references:
6 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
7author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
8date: 2023/05/19
9tags:
10 - attack.defense_evasion
11 - attack.t1036.005
12 - detection.emerging_threats
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection_typo_path:
18 TargetFilename|contains|all:
19 - ':\Users\'
20 - '\AppData\'
21 TargetFilename|contains:
22 - '\Roaming\'
23 - '\Local\'
24 selection_typo_keyword:
25 TargetFilename|contains: 'Microsift'
26 selection_ioc:
27 TargetFilename|endswith: '\AppData\Local\MicrosoftWindowsOutlookDataPlus.txt'
28 condition: all of selection_typo_* or selection_ioc
29falsepositives:
30 - Unlikely
31level: high
References
Related rules
- Exploit for CVE-2015-1641
- Greenbug Espionage Group Indicators
- Lazarus System Binary Masquerading
- Goofy Guineapig Backdoor IOC
- Potential Devil Bait Malware Reconnaissance