Contains 6 different EQL queries for GAMAREDON GROUP post. 3 of the queries rely on DNS eventing.
Non-browser processes making DNS requests to Dynamic DNS Providers
Identifies non-browser processes making DNS requests to Dynamic DNS Providers used by GAMAREDON GROUP.
MS Office Template Injection (SMB)
Microsoft's Open Office XML (OOXML) specification defines an XML-based format for Office documents. Adversaries may abuse this technology to initially conceal malicious code to be executed via documents.
MS Office Template Injection (GAMAREDON GROUP)
Microsoft's Open Office XML (OOXML) specification defines an XML-based format for Office documents. Adversaries may abuse this technology to initially conceal malicious code to be executed via documents. This rule specifically looks for Dynamic DNS providers used previously by GAMAREDON GROUP.
Startup Folder Execution via VBScript
Adversaries abuse common persistence mechanisms such as placing their malware/implants into a compromised user's startup folder. This detection identifies the execution portion of GAMAREDON GROUP's technique of placing shortcut and VBScript files into this folder.
Startup Folder Persistence with Shortcut/VBScript Files
Adversaries abuse common persistence mechanisms such as placing their malware/implants into a compromised user's startup folder. This detection identifies GAMAREDON GROUP's technique of placing shortcut and VBScript files into this folder.
Suspicious MS Office Registry Modifications
Adversaries may attempt to lower security controls around macro-enabled objects via malicious documents. By modifying these settings such as trusting future macros or disabling security warnings, adversaries increase their chances of success to re-gain access to machine.
Contains 6 different EQL queries for GAMAREDON GROUP post. 3 of the queries rely on DNS eventing.
Non-browser processes making DNS requests to Dynamic DNS Providers Identifies non-browser processes making DNS requests to Dynamic DNS Providers used by GAMAREDON GROUP.
MS Office Template Injection (SMB) Microsoft's Open Office XML (OOXML) specification defines an XML-based format for Office documents. Adversaries may abuse this technology to initially conceal malicious code to be executed via documents.
MS Office Template Injection (GAMAREDON GROUP) Microsoft's Open Office XML (OOXML) specification defines an XML-based format for Office documents. Adversaries may abuse this technology to initially conceal malicious code to be executed via documents. This rule specifically looks for Dynamic DNS providers used previously by GAMAREDON GROUP.
Startup Folder Execution via VBScript Adversaries abuse common persistence mechanisms such as placing their malware/implants into a compromised user's startup folder. This detection identifies the execution portion of GAMAREDON GROUP's technique of placing shortcut and VBScript files into this folder.
Startup Folder Persistence with Shortcut/VBScript Files Adversaries abuse common persistence mechanisms such as placing their malware/implants into a compromised user's startup folder. This detection identifies GAMAREDON GROUP's technique of placing shortcut and VBScript files into this folder.
Suspicious MS Office Registry Modifications Adversaries may attempt to lower security controls around macro-enabled objects via malicious documents. By modifying these settings such as trusting future macros or disabling security warnings, adversaries increase their chances of success to re-gain access to machine.