-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
mthaxton
committed
May 17, 2024
1 parent
3e6e591
commit e42ebaf
Showing
1 changed file
with
18 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| armageddon_vbs_backdoor: | ||
| query: 'SELECT f.filename, f.path, f.directory, st.name, st.action | ||
| FROM file f JOIN scheduled_tasks st ON st.action LIKE concat('%', concat(f.filename, '%')) | ||
| WHERE lower(f.directory) LIKE "%%\appdata\roaming\%" | ||
| AND f.path LIKE "%.%%" | ||
| AND lower(st.action) LIKE "%e:vbscript%" | ||
| AND (SELECT COUNT(*) FROM file WHERE lower(directory) LIKE "%%\appdata\roaming\%" AND path LIKE "%.%%") >= 2;' | ||
| interval: 86400 | ||
| snapshot: true | ||
| description: A backdoor associated with the Armageddon threat actor was installed on the system. Armageddon is a group notable for performing attacks on behalf of the Russian Federal Security Service (FSB). This backdoor is written in Visual Basic and serves to establish persistence on the system and then download & execute additional files on the system. | ||
| references: | ||
| - ref | ||
| mitre_tactics: | ||
| - Persistence: TA0003 | ||
| mitre_techniques: | ||
| - Scheduled Task : T1053.005 | ||
| platform: | ||
| - windows |