Equation Group DLL_U Load

Detects a specific tool and export used by EquationGroup

Rule Content

- title: Equation Group DLL_U Load
  id: d465d1d8-27a2-4cca-9621-a800f37cf72e
  author: Florian Roth
  description: Detects a specific tool and export used by EquationGroup
  references:
  - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
  - https://securelist.com/apt-slingshot/84312/
  - https://twitter.com/cyb3rops/status/972186477512839170
  tags:
  - attack.execution
  - attack.g0020
  - attack.t1059
  - attack.defense_evasion
  - attack.t1085
  logsource:
    category: process_creation
    product: windows
    service: null
  detection:
    selection1:
      Image: '*\rundll32.exe'
      CommandLine: '*,dll_u'
    selection2:
      CommandLine: '* -export dll_u *'
    condition: 1 of them
  falsepositives:
  - Unknown
  level: critical

Querying Elasticsearch

Import Libraries


In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client


In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query


In [ ]:
s = searchContext.query('query_string', query='((process_path.keyword:*\\rundll32.exe AND process_command_line.keyword:*,dll_u) OR process_command_line.keyword:*\ \-export\ dll_u\ *)')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results


In [ ]:
df.head()