Emerging Threatcriticaltest

CosmicDuke Service Installation

Detects the installation of a service named "javamtsup" on the system. The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.communityCreated Mon Mar 27Updated Sun Oct 09cb062102-587e-4414-8efa-dbe3c7bf19c62017

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Definition

The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Detection Logic

detection:
    selection:
        EventID: 4697
        ServiceName: 'javamtsup'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

blog.f-secure.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0002 · Execution TA0003 · Persistence

Sub-techniques

T1543.003 · Windows Service T1569.002 · Service Execution

Other

detection.emerging-threats

Related Rules

Derived

2cfe636e-317a-4bee-9f2c-1066d9f54d1a

Rule not found

Rule Metadata

Rule ID

cb062102-587e-4414-8efa-dbe3c7bf19c6

Status

test

Level

critical

Type

Emerging Threat

Created

Mon Mar 27

Modified

Sun Oct 09

Author

Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community

Path

rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml

Raw Tags

attack.privilege-escalationattack.executionattack.persistenceattack.t1543.003attack.t1569.002detection.emerging-threats

View on GitHub