Emerging Threathightest
Small Sieve Malware File Indicator Creation
Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)Created Fri May 1939466c42-c189-476a-989f-8cdb135c163a2021
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic3 selectors
detection:
selection_typo_path:
TargetFilename|contains|all:
- ':\Users\'
- '\AppData\'
TargetFilename|contains:
- '\Roaming\'
- '\Local\'
selection_typo_keyword:
TargetFilename|contains: 'Microsift'
selection_ioc:
TargetFilename|endswith: '\AppData\Local\MicrosoftWindowsOutlookDataPlus.txt'
condition: all of selection_typo_* or selection_iocFalse Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
References
MITRE ATT&CK
Tactics
Sub-techniques
Other
detection.emerging-threats
Rule Metadata
Rule ID
39466c42-c189-476a-989f-8cdb135c163a
Status
test
Level
high
Type
Emerging Threat
Created
Fri May 19
Path
rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml
Raw Tags
attack.defense-evasionattack.t1036.005detection.emerging-threats