Skip to content

Commit

Permalink
Merge pull request SigmaHQ#821 from NVISO-BE/win_mal_octopus_scanner
Browse files Browse the repository at this point in the history 
Octopus Scanner malware rule
  • Loading branch information
@Neo23x0
Neo23x0 authored Jun 9, 2020
2 parents 94b90ad + a9bf227 commit ad5c0a6
Showing 1 changed file with 24 additions and 0 deletions.
24 changes: 24 additions & 0 deletions rules/windows/malware/win_mal_octopus_scanner.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
title: Octopus Scanner Malware
id: 805c55d9-31e6-4846-9878-c34c75054fe9
status: experimental
description: Detects Octopus Scanner Malware.
references:
- https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
tags:
- attack.t1195
author: NVISO
date: 2020/06/09
logsource:
product: windows
service: sysmon
detection:
filecreate:
EventID: 11
selection:
TargetFilename|endswith:
- '\AppData\Local\Microsoft\Cache134.dat'
- '\AppData\Local\Microsoft\ExplorerSync.db'
condition: filecreate and selection
falsepositives:
- Unknown
level: high

0 comments on commit ad5c0a6

Please sign in to comment.