Skip to content

Commit 64ed5bb

Browse files
MHaggisnasbenchpatel-bhavin
authored
APT 37 and The No Good Rustonotto (#3686)
* APT 37 and The No Good Rustonotto ## Updated analytics ``` detections/application/detect_html_help_spawn_child_process.yml — APT37 Rustonotto and FadeStealer detections/endpoint/bitsadmin_download_file.yml — APT37 Rustonotto and FadeStealer detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml — APT37 Rustonotto and FadeStealer detections/endpoint/cobalt_strike_named_pipes.yml — APT37 Rustonotto and FadeStealer detections/endpoint/detect_html_help_renamed.yml — APT37 Rustonotto and FadeStealer detections/endpoint/detect_html_help_url_in_command_line.yml — APT37 Rustonotto and FadeStealer detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml — APT37 Rustonotto and FadeStealer detections/endpoint/detect_mshta_inline_hta_execution.yml — APT37 Rustonotto and FadeStealer detections/endpoint/detect_mshta_renamed.yml — APT37 Rustonotto and FadeStealer detections/endpoint/detect_mshta_url_in_command_line.yml — APT37 Rustonotto and FadeStealer detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml — APT37 Rustonotto and FadeStealer detections/endpoint/detect_rundll32_inline_hta_execution.yml — APT37 Rustonotto and FadeStealer detections/endpoint/executables_or_script_creation_in_temp_path.yml — APT37 Rustonotto and FadeStealer detections/endpoint/icedid_exfiltrated_archived_file_creation.yml — APT37 Rustonotto and FadeStealer detections/endpoint/lolbas_with_network_traffic.yml — APT37 Rustonotto and FadeStealer detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml — APT37 Rustonotto and FadeStealer detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml — APT37 Rustonotto and FadeStealer detections/endpoint/powershell_4104_hunting.yml — APT37 Rustonotto and FadeStealer detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml — APT37 Rustonotto and FadeStealer detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml — APT37 Rustonotto and FadeStealer detections/endpoint/processes_tapping_keyboard_events.yml — APT37 Rustonotto and FadeStealer detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml — APT37 Rustonotto and FadeStealer detections/endpoint/registry_keys_used_for_persistence.yml — APT37 Rustonotto and FadeStealer detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml — APT37 Rustonotto and FadeStealer detections/endpoint/suspicious_curl_network_connection.yml — APT37 Rustonotto and FadeStealer detections/endpoint/suspicious_image_creation_in_appdata_folder.yml — APT37 Rustonotto and FadeStealer detections/endpoint/suspicious_mshta_spawn.yml — APT37 Rustonotto and FadeStealer detections/endpoint/suspicious_process_executed_from_container_file.yml — APT37 Rustonotto and FadeStealer detections/endpoint/suspicious_scheduled_task_from_public_directory.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_alternate_datastream___base64_content.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_archive_collected_data_via_powershell.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_archive_collected_data_via_rar.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_archived_collected_data_in_temp_folder.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_cab_file_on_disk.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_curl_download_to_suspicious_path.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_file_download_via_powershell.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_high_file_deletion_frequency.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_http_network_communication_from_msiexec.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_indicator_removal_via_rmdir.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_input_capture_using_credential_ui_dll.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_iso_lnk_file_creation.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_office_product_spawned_child_process_for_download.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_office_product_spawned_uncommon_process.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_process_executed_from_removable_media.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_process_execution_from_programdata.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_process_injection_into_notepad.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_replication_through_removable_media.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_scheduled_task_with_suspicious_command.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_scheduled_task_with_suspicious_name.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_screen_capture_in_temp_folder.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_screen_capture_via_powershell.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_service_created_with_suspicious_service_path.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_suspicious_driver_loaded_path.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_usbstor_registry_key_modification.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_wpdbusenum_registry_key_modification.yml — APT37 Rustonotto and FadeStealer detections/endpoint/winevent_scheduled_task_created_within_public_path.yml — APT37 Rustonotto and FadeStealer detections/web/multiple_archive_files_http_post_traffic.yml — APT37 Rustonotto and FadeStealer detections/web/plain_http_post_exfiltrated_data.yml — APT37 Rustonotto and FadeStealer detections/endpoint/windows_expand_cabinet_file_extraction.yml — APT37 Rustonotto and FadeStealer ``` ## New Story ``` stories/apt37_rustonotto_and_fadestealer.yml — APT37 Rustonotto and FadeStealer ``` * Create windows_expand_cabinet_file_extraction.yml * Apply suggestion from @nasbench Co-authored-by: Nasreddine Bencherchali <[email protected]> * Update detections/endpoint/windows_expand_cabinet_file_extraction.yml Co-authored-by: Nasreddine Bencherchali <[email protected]> * Update detections/endpoint/windows_expand_cabinet_file_extraction.yml Co-authored-by: Nasreddine Bencherchali <[email protected]> * Update detections/endpoint/windows_expand_cabinet_file_extraction.yml Co-authored-by: Nasreddine Bencherchali <[email protected]> * updating conflicts --------- Co-authored-by: Nasreddine Bencherchali <[email protected]> Co-authored-by: Bhavin Patel <[email protected]> Co-authored-by: Bhavin Patel <[email protected]>
1 parent 0bcb54b commit 64ed5bb

File tree

69 files changed

+276
-107
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

69 files changed

+276
-107
lines changed

detections/application/detect_html_help_spawn_child_process.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Detect HTML Help Spawn Child Process
22
id: 723716de-ee55-4cd4-9759-c44e7e55ba4b
3-
version: 11
4-
date: '2025-05-02'
3+
version: 12
4+
date: '2025-09-18'
55
author: Michael Haag, Splunk
66
status: production
77
type: TTP
@@ -79,6 +79,7 @@ tags:
7979
- AgentTesla
8080
- Living Off The Land
8181
- Compromised Windows Host
82+
- APT37 Rustonotto and FadeStealer
8283
asset_type: Endpoint
8384
mitre_attack_id:
8485
- T1218.001

detections/endpoint/bitsadmin_download_file.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: BITSAdmin Download File
22
id: 80630ff4-8e4c-11eb-aab5-acde48001122
33
version: 13
4-
date: '2025-09-16'
4+
date: '2025-09-18'
55
author: Michael Haag, Sittikorn S
66
status: production
77
type: TTP
@@ -81,6 +81,7 @@ tags:
8181
- Flax Typhoon
8282
- Gozi Malware
8383
- Scattered Spider
84+
- APT37 Rustonotto and FadeStealer
8485
- GhostRedirector IIS Module and Rungan Backdoor
8586
asset_type: Endpoint
8687
mitre_attack_id:

detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Cisco NVM - Suspicious Download From File Sharing Website
22
id: 94ebc001-35e7-4ae8-9b0e-52766b2f99c7
3-
version: 2
4-
date: '2025-09-09'
3+
version: 3
4+
date: '2025-09-18'
55
author: Nasreddine Bencherchali, Splunk
66
status: production
77
type: Anomaly
@@ -97,6 +97,7 @@ rba:
9797
type: process_name
9898
tags:
9999
analytic_story:
100+
- APT37 Rustonotto and FadeStealer
100101
- Cisco Network Visibility Module Analytics
101102
asset_type: Endpoint
102103
mitre_attack_id:

detections/endpoint/cobalt_strike_named_pipes.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Cobalt Strike Named Pipes
22
id: 5876d429-0240-4709-8b93-ea8330b411b5
3-
version: 10
4-
date: '2025-08-04'
3+
version: 11
4+
date: '2025-09-18'
55
author: Michael Haag, Splunk
66
status: production
77
type: TTP
@@ -90,6 +90,7 @@ tags:
9090
- Graceful Wipe Out Attack
9191
- LockBit Ransomware
9292
- Gozi Malware
93+
- APT37 Rustonotto and FadeStealer
9394
asset_type: Endpoint
9495
mitre_attack_id:
9596
- T1055

detections/endpoint/detect_html_help_renamed.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Detect HTML Help Renamed
22
id: 62fed254-513b-460e-953d-79771493a9f3
3-
version: 11
4-
date: '2025-05-02'
3+
version: 12
4+
date: '2025-09-18'
55
author: Michael Haag, Splunk
66
status: production
77
type: Hunting
@@ -45,6 +45,7 @@ tags:
4545
analytic_story:
4646
- Suspicious Compiled HTML Activity
4747
- Living Off The Land
48+
- APT37 Rustonotto and FadeStealer
4849
asset_type: Endpoint
4950
mitre_attack_id:
5051
- T1218.001

detections/endpoint/detect_html_help_url_in_command_line.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Detect HTML Help URL in Command Line
22
id: 8c5835b9-39d9-438b-817c-95f14c69a31e
3-
version: 12
4-
date: '2025-06-30'
3+
version: 13
4+
date: '2025-09-18'
55
author: Michael Haag, Splunk
66
status: production
77
type: TTP
@@ -82,6 +82,7 @@ rba:
8282
type: process_name
8383
tags:
8484
analytic_story:
85+
- APT37 Rustonotto and FadeStealer
8586
- Suspicious Compiled HTML Activity
8687
- Living Off The Land
8788
- Compromised Windows Host

detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Detect HTML Help Using InfoTech Storage Handlers
22
id: 0b2eefa5-5508-450d-b970-3dd2fb761aec
3-
version: 10
4-
date: '2025-05-02'
3+
version: 11
4+
date: '2025-09-18'
55
author: Michael Haag, Splunk
66
status: production
77
type: TTP
@@ -76,6 +76,7 @@ tags:
7676
- Suspicious Compiled HTML Activity
7777
- Living Off The Land
7878
- Compromised Windows Host
79+
- APT37 Rustonotto and FadeStealer
7980
asset_type: Endpoint
8081
mitre_attack_id:
8182
- T1218.001

detections/endpoint/detect_mshta_inline_hta_execution.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Detect mshta inline hta execution
22
id: a0873b32-5b68-11eb-ae93-0242ac130002
3-
version: '17'
4-
date: '2025-05-06'
3+
version: '18'
4+
date: '2025-09-18'
55
author: Bhavin Patel, Michael Haag, Splunk
66
status: production
77
type: TTP
@@ -80,6 +80,7 @@ tags:
8080
- Living Off The Land
8181
- Suspicious MSHTA Activity
8282
- XWorm
83+
- APT37 Rustonotto and FadeStealer
8384
asset_type: Endpoint
8485
mitre_attack_id:
8586
- T1218.005

detections/endpoint/detect_mshta_renamed.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Detect mshta renamed
22
id: 8f45fcf0-5b68-11eb-ae93-0242ac130002
3-
version: 10
4-
date: '2025-05-02'
3+
version: 11
4+
date: '2025-09-18'
55
author: Michael Haag, Splunk
66
status: production
77
type: Hunting
@@ -43,6 +43,7 @@ tags:
4343
analytic_story:
4444
- Suspicious MSHTA Activity
4545
- Living Off The Land
46+
- APT37 Rustonotto and FadeStealer
4647
asset_type: Endpoint
4748
mitre_attack_id:
4849
- T1218.005

detections/endpoint/detect_mshta_url_in_command_line.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Detect MSHTA Url in Command Line
22
id: 9b3af1e6-5b68-11eb-ae93-0242ac130002
3-
version: 14
4-
date: '2025-06-30'
3+
version: 15
4+
date: '2025-09-18'
55
author: Michael Haag, Splunk
66
status: production
77
type: TTP
@@ -82,6 +82,7 @@ rba:
8282
type: process_name
8383
tags:
8484
analytic_story:
85+
- APT37 Rustonotto and FadeStealer
8586
- Compromised Windows Host
8687
- Lumma Stealer
8788
- Living Off The Land

0 commit comments

Comments
 (0)