20 lines
753 B
Text
20 lines
753 B
Text
|
rule APT_APT40_Implant_June2020 {
|
||
|
meta:
|
||
|
version = "1.0"
|
||
|
author = "Elastic Security"
|
||
|
date_added = "2020-06-19"
|
||
|
description = "APT40 second stage implant"
|
||
|
reference = "https://www.elastic.co/security-labs/advanced-techniques-used-in-malaysian-focused-apt-campaign"
|
||
|
strings:
|
||
|
$a = "/list_direction" fullword wide
|
||
|
$b = "/post_document" fullword wide
|
||
|
$c = "/postlogin" fullword wide
|
||
|
$d = "Download Read Path Failed %s" fullword ascii
|
||
|
$e = "Open Pipe Failed %s" fullword ascii
|
||
|
$f = "Open Remote File %s Failed For: %s" fullword ascii
|
||
|
$g = "Download Read Path Failed %s" fullword ascii
|
||
|
$h = "\\cmd.exe" fullword wide
|
||
|
condition:
|
||
|
all of them
|
||
|
}
|