Unidentified Attacker November 2018

A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.

Rule Content

- action: global
  title: Unidentified Attacker November 2018
  id: 7453575c-a747-40b9-839b-125a0aae324b
  status: stable
  description: A sigma rule detecting an unidetefied attacker who used phishing emails
    to target high profile orgs on November 2018. The Actor shares some TTPs with
    YYTRIUM/APT29 campaign in 2016.
  references:
  - https://twitter.com/DrunkBinary/status/1063075530180886529
  author: '@41thexplorer, Windows Defender ATP'
  date: 2018/11/20
  modified: 2018/12/11
  tags:
  - attack.execution
  - attack.t1085
  detection:
    condition: 1 of them
  level: high
- logsource:
    category: process_creation
    product: windows
  detection:
    selection1:
      CommandLine: '*cyzfc.dat, PointFunctionCall'
- logsource:
    product: windows
    service: sysmon
  detection:
    selection2:
      EventID: 11
      TargetFilename:
      - '*ds7002.lnk*'

Querying Elasticsearch

Import Libraries



In [ ]:

    
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client



In [ ]:

    
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query



In [ ]:

    
s = searchContext.query('query_string', query='process_command_line.keyword:*cyzfc.dat,\ PointFunctionCall')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))



In [ ]:

    
s = searchContext.query('query_string', query='(event_id:"11" AND file_name.keyword:(*ds7002.lnk*))')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results



In [ ]:

    
df.head()