APT PRIVATELOG Image Load Pattern
Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
Sigma rule (View on GitHub)
1title: APT PRIVATELOG Image Load Pattern
2id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc
3status: test
4description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
5references:
6 - https://web.archive.org/web/20210901184449/https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html
7author: Florian Roth (Nextron Systems)
8date: 2021-09-07
9modified: 2022-10-09
10tags:
11 - attack.defense-evasion
12 - attack.privilege-escalation
13 - attack.t1055
14 - detection.emerging-threats
15logsource:
16 category: image_load
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\svchost.exe'
21 ImageLoaded|endswith: '\clfsw32.dll'
22 condition: selection
23falsepositives:
24 - Rarely observed
25level: high
References
-
We shine light on a tricky new malware family we discovered, PRIVATELOG, and its installer STASHLOG.
Read More
Related rules
- Malware Shellcode in Verclsid Target Process
- Potential Dridex Activity
- CobaltStrike Named Pipe
- CobaltStrike Named Pipe Pattern Regex
- CobaltStrike Named Pipe Patterns