-
Notifications
You must be signed in to change notification settings - Fork 1
/
local_rules.xml
179 lines (158 loc) · 8.12 KB
/
local_rules.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
<!-- Windows APT Local rules
Author: Adem Simsek ademsim@gmail.com
-->
<group name="local,syslog,win_apt">
<rule id="60001" level="10">
<if_sid>18203,18217</if_sid>
<match>A member was added to a security-enabled local group.</match>
<description>A user has been added to Administrators Group, </description>
<description>Black Energy APT may have begun.</description>
<info type="link">https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf</info>
<group>windows,pci_dss_8.1.2,pci_dss_10.2.5,group_changed,win_group_changed</group>
</rule>
<rule id="60002" level="12">
<if_sid>512</if_sid>
<match>Temp\rdws.exe</match>
<description>A suspicious file has been detected, </description>
<description>Blue Termite APT may have begun.</description>
<info type="link">https://securelist.com/new-activity-of-the-blue-termite-apt/71876</info>
<group>win_apt,rootcheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f</group>
</rule>
<rule id="60003" level="12">
<if_sid>512</if_sid>
<match>edg6EF885E2.tmp</match>
<description>A suspicious file has been detected, </description>
<description>APT28 Phase may have begun.</description>
<info type="link">https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf</info>
<group>win_apt,rootcheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f</group>
</rule>
<rule id="60004" level="12">
<if_sid>512</if_sid>
<match>com\svchost.exe</match>
<description>A suspicious file has been detected, </description>
<description>Carbanak APT may have begun.</description>
<info type="link">https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732</info>
<group>win_apt,rootcheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f</group>
</rule>
<rule id="60005" level="12">
<if_sid>512</if_sid>
<match>number.exe</match>
<description>A suspicious file has been detected, </description>
<description>Cloud Atlas APT may have begun.</description>
<info type="link">https://securelist.com/red-october-detailed-malware-description-4-second-stage-of-attack/36884</info>
<group>win_apt,rootcheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f</group>
</rule>
<rule id="60006" level="12">
<if_sid>512</if_sid>
<match>temp\New Text Document</match>
<description>A suspicious file has been detected, </description>
<description>Dukes APT Phase 1 may have begun.</description>
<group>win_apt,rootcheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f</group>
</rule>
<rule id="60007" level="12">
<if_sid>550</if_sid>
<match>\Software\Microsoft\Windows\CurrentVersion\Run</match>
<description>A registry change has been detected, </description>
<description>Dukes APT may have begun.</description>
<info type="link">https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:SWF/CVE-2011-0611.A</info>
<group>win_apt,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f</group>
</rule>
<rule id="60008" level="12">
<if_sid>550</if_sid>
<match>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4</match>
<description>A registry change has been detected, </description>
<description>Duqu APT may have begun.</description>
<info type="link">https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf</info>
<group>win_apt,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f</group>
</rule>
<rule id="60009" level="12">
<if_sid>512</if_sid>
<match>nls_933w.dll</match>
<description>A suspicious file has been detected, </description>
<description>Equation APT may have begun.".</description>
<info type="link">https://threatpost.com/inside-nls_933w-dll-the-equation-apt-persistence-module/111128</info>
<group>win_apt,rootcheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f</group>
</rule>
<rule id="60010" level="12">
<if_sid>512</if_sid>
<match>drivers\diskfilter.sys</match>
<description>A suspicious file has been detected, </description>
<description>Hellsing APT may have begun.</description>
<info type="link">https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/</info>
<group>win_apt,rootcheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f</group>
</rule>
<rule id="60011" level="12">
<if_sid>512</if_sid>
<match>tmp\delete.bat</match>
<description>A suspicious file has been detected, </description>
<description>FinSpy APT may have begun.</description>
<info type="link">https://citizenlab.ca/storage/finfisher/final/fortheireyesonly.pdf</info>
<group>win_apt,rootcheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f</group>
</rule>
<rule id="60012" level="12">
<if_sid>530</if_sid>
<match>Finspy_2</match>
<regex>lastClockrate</regex>
<description>A suspicious registry key has been detected, </description>
<description>FinSpy APT may have begun.</description>
<info type="link">https://citizenlab.ca/storage/finfisher/final/fortheireyesonly.pdf</info>
</rule>
<rule id="60013" level="12">
<if_sid>512</if_sid>
<regex>jlc3V7we</regex>
<description>A suspicious file has been detected </description>
<description>Hacking Team RCS APT may have begun.</description>
<info type="link">https://citizenlab.ca/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent</info>
<group>win_apt,rootcheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f</group>
</rule>
<rule id="60014" level="12">
<if_sid>530</if_sid>
<match>HackingRCS_APT_2</match>
<regex>J7PugHy</regex>
<description>A suspicious registry key has been detected, </description>
<description>Hacking Team RCS APT may have begun.</description>
<info type="link">https://citizenlab.ca/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent</info>
<group>win_apt,rootcheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f</group>
</rule>
<rule id="60015" level="12">
<if_sid>512</if_sid>
<regex>diskfilter.sys</regex>
<description>A suspicious file has been detected, </description>
<description>Hellsing APT may have begun.</description>
<info type="link">https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567</info>
<group>win_apt,rootcheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f</group>
</rule>
<rule id="60016" level="12">
<if_sid>512</if_sid>
<match>clare.pdb|irene.pdb|irene.pdb|xKat.pdb|msger_install.pdb|</match>
<match>msger_server.pdb|i386\xrat.pdb|test.pdb</match>
<description>A suspicious file has been detected, </description>
<description>Hellsing APT may have begun.</description>
<info type="link">https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567</info>
<group>win_apt,rootcheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f</group>
</rule>
<rule id="60017" level="12">
<if_sid>512</if_sid>
<regex>auto.dll</regex>
<description>A suspicious file has been detected, </description>
<description>Kimsuky APT may have begun.</description>
<info type="link">https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915</info>
<group>win_apt,rootcheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f</group>
</rule>
<rule id="60018" level="12">
<if_sid>512</if_sid>
<match>Temp\update.exe</match>
<description>A suspicious file has been detected, </description>
<description>Naikon APT Phase 2 may have begun.</description>
<info type="link">https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf</info>
<group>win_apt,rootcheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f</group>
</rule>
<rule id="60019" level="12">
<if_sid>512</if_sid>
<match>Adobe\netmgr</match>
<description>A suspicious file has been detected, </description>
<description>NetTraveler APT Phase 2 may have begun.</description>
<info type="link">https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134120/kaspersky-the-net-traveler-part1-final.pdf</info>
<group>win_apt,rootcheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f</group>
</rule>
</group>