Emerging Threatcriticaltest

Turla Group Lateral Movement

Detects automated lateral movement by Turla group

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Markus NeisCreated Tue Nov 07Updated Sun Oct 09c601f20d-570a-4cde-a7d6-e17f99cb8e7f2014

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        CommandLine:
            - 'net use \\\\%DomainController%\C$ "P@ssw0rd" *'
            - 'dir c:\\*.doc* /s'
            - 'dir %TEMP%\\*.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

securelist.com

MITRE ATT&CK

Tactics

TA0002 · Execution TA0008 · Lateral Movement TA0007 · Discovery

Techniques

T1059 · Command and Scripting Interpreter T1083 · File and Directory Discovery T1135 · Network Share Discovery

Sub-techniques

T1021.002 · SMB/Windows Admin Shares

Groups

G0010 · G0010

Other

detection.emerging-threats

Rule Metadata

Rule ID

c601f20d-570a-4cde-a7d6-e17f99cb8e7f

Status

test

Level

critical

Type

Emerging Threat

Created

Tue Nov 07

Modified

Sun Oct 09

Author

Markus Neis

Path

rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml

Raw Tags

attack.g0010attack.executionattack.t1059attack.lateral-movementattack.t1021.002attack.discoveryattack.t1083attack.t1135detection.emerging-threats

View on GitHub