Detection rules › Sigma
GALLIUM IOCs
Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1212 Exploitation for Credential Access |
| Command & Control | T1071 Application Layer Protocol |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
title: GALLIUM IOCs
id: 440a56bf-7873-4439-940a-1c8a671073c2
status: test
description: Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.
references:
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml
author: Tim Burrell
date: 2020-02-07
modified: 2024-11-23
tags:
- attack.credential-access
- attack.command-and-control
- attack.t1212
- attack.t1071
- attack.g0093
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection:
Hashes|contains:
- 'SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd'
- 'SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b'
- 'SHA256=657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5'
- 'SHA256=2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29'
- 'SHA256=52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77'
- 'SHA256=a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3'
- 'SHA256=5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022'
- 'SHA256=6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883'
- 'SHA256=3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e'
- 'SHA256=1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7'
- 'SHA256=fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1'
- 'SHA256=7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c'
- 'SHA256=178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945'
- 'SHA256=51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9'
- 'SHA256=889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79'
- 'SHA256=332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf'
- 'SHA256=44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08'
- 'SHA256=63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef'
- 'SHA256=056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070'
- 'SHA1=53a44c2396d15c3a03723fa5e5db54cafd527635'
- 'SHA1=9c5e496921e3bc882dc40694f1dcc3746a75db19'
- 'SHA1=aeb573accfd95758550cf30bf04f389a92922844'
- 'SHA1=79ef78a797403a4ed1a616c68e07fff868a8650a'
- 'SHA1=4f6f38b4cec35e895d91c052b1f5a83d665c2196'
- 'SHA1=1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d'
- 'SHA1=e841a63e47361a572db9a7334af459ddca11347a'
- 'SHA1=c28f606df28a9bc8df75a4d5e5837fc5522dd34d'
- 'SHA1=2e94b305d6812a9f96e6781c888e48c7fb157b6b'
- 'SHA1=dd44133716b8a241957b912fa6a02efde3ce3025'
- 'SHA1=8793bf166cb89eb55f0593404e4e933ab605e803'
- 'SHA1=a39b57032dbb2335499a51e13470a7cd5d86b138'
- 'SHA1=41cc2b15c662bc001c0eb92f6cc222934f0beeea'
- 'SHA1=d209430d6af54792371174e70e27dd11d3def7a7'
- 'SHA1=1c6452026c56efd2c94cea7e0f671eb55515edb0'
- 'SHA1=c6b41d3afdcdcaf9f442bbe772f5da871801fd5a'
- 'SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f'
- 'SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de'
- 'SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2'
condition: selection
falsepositives:
- Unknown
level: high
Stages and Predicates
Stage 0: condition
selectionStage 1: selection
selection:
Hashes|contains:
- 'SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd'
- 'SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b'
- 'SHA256=657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5'
- 'SHA256=2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29'
- 'SHA256=52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77'
- 'SHA256=a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3'
- 'SHA256=5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022'
- 'SHA256=6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883'
- 'SHA256=3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e'
- 'SHA256=1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7'
- 'SHA256=fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1'
- 'SHA256=7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c'
- 'SHA256=178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945'
- 'SHA256=51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9'
- 'SHA256=889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79'
- 'SHA256=332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf'
- 'SHA256=44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08'
- 'SHA256=63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef'
- 'SHA256=056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070'
- 'SHA1=53a44c2396d15c3a03723fa5e5db54cafd527635'
- 'SHA1=9c5e496921e3bc882dc40694f1dcc3746a75db19'
- 'SHA1=aeb573accfd95758550cf30bf04f389a92922844'
- 'SHA1=79ef78a797403a4ed1a616c68e07fff868a8650a'
- 'SHA1=4f6f38b4cec35e895d91c052b1f5a83d665c2196'
- 'SHA1=1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d'
- 'SHA1=e841a63e47361a572db9a7334af459ddca11347a'
- 'SHA1=c28f606df28a9bc8df75a4d5e5837fc5522dd34d'
- 'SHA1=2e94b305d6812a9f96e6781c888e48c7fb157b6b'
- 'SHA1=dd44133716b8a241957b912fa6a02efde3ce3025'
- 'SHA1=8793bf166cb89eb55f0593404e4e933ab605e803'
- 'SHA1=a39b57032dbb2335499a51e13470a7cd5d86b138'
- 'SHA1=41cc2b15c662bc001c0eb92f6cc222934f0beeea'
- 'SHA1=d209430d6af54792371174e70e27dd11d3def7a7'
- 'SHA1=1c6452026c56efd2c94cea7e0f671eb55515edb0'
- 'SHA1=c6b41d3afdcdcaf9f442bbe772f5da871801fd5a'
- 'SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f'
- 'SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de'
- 'SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Hashes | match |
|