Detectionhightest

Octopus Scanner Malware

Detects Octopus Scanner Malware.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

NVISOCreated Tue Jun 09Updated Sat Nov 27805c55d9-31e6-4846-9878-c34c75054fe9windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|endswith:
            - '\AppData\Local\Microsoft\Cache134.dat'
            - '\AppData\Local\Microsoft\ExplorerSync.db'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

securitylab.github.com

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Techniques

T1195 · Supply Chain Compromise

Sub-techniques

T1195.001 · Compromise Software Dependencies and Development Tools

Rule Metadata

Rule ID

805c55d9-31e6-4846-9878-c34c75054fe9

Status

test

Level

high

Type

Detection

Created

Tue Jun 09

Modified

Sat Nov 27

Author

NVISO

Path

rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml

Raw Tags

attack.initial-accessattack.t1195attack.t1195.001

View on GitHub