security_content icon indicating copy to clipboard operation
security_content copied to clipboard
verified publisher icon splunk

Agent with tesla 1

Open tccontre opened this issue 3 years ago • 0 comments

Modified Detections to include Agent Tesla story line

  • [x] detect_html_help_spawn_child_process.yml
  • [x] excessive_usage_of_taskkill.yml
  • [x] executables_or_script_creation_in_suspicious_path.yml
  • [x] non_chrome_process_accessing_chrome_default_dir.yml
  • [x] non_firefox_process_access_firefox_profile_dir.yml
  • [x] office_application_drop_executable.yml
  • [x] office_application_spawn_rundll32_process.yml
  • [x] office_document_executing_macro_code.yml
  • [x] powershell___connect_to_internet_with_hidden_window.yml
  • [x] scheduled_task_deleted_or_created_via_cmd.yml
  • [x] suspicious_process_file_path.yml
  • [x] detect_html_help_spawn_child_process.yml

story

  • [x] stories/agenttesla.yml

What does this PR have in it? Screenshots are worth 1000 words 😄

Checklist

  • [ ] Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • [ ] CI/CD jobs passed ✔️
  • [ ] Validated SPL logic.
  • [ ] Validated tags, description, and how to implement.
  • [ ] Verified references match analytic.

tccontre avatar Sep 19 '22 09:09 tccontre