ZuoRAT — Wazuh Detection Rules

Intro

OpenCTI — ZuoRAT IoCs and Relationships

Attack Phases.

OpenCTI — ZuoRAT Correlation Matrix

Windows-based shellcodes, beacons and detection rules

<rule id="xxxxxx" level="12">
<if_sid>61603</if_sid>
<field name="win.eventdata.company">^Tencent Technology(Shenzhen) Company Limited$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - ZuoRAT Detection.</description>
<mitre>
<id>T1204</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_anomaly</group>
</rule>
<rule id="xxxxx" level="12">
<if_sid>61609</if_sid>
<field name="win.eventdata.image">OneDriverUpdaterService.exe$</field>
<description>Sysmon - Event 7: Image loaded by $(win.eventdata.image) - ZuoRAT Detection.</description>
<mitre>
<id>T1059</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_anomaly,</group>
</rule>
<rule id="xxxxx" level="12">
<if_sid>61609</if_sid>
<field name="win.eventdata.imageLoaded">OneDriverUpdaterService.exe$</field>
<description>Sysmon - Event 7: Image loaded by $(win.eventdata.image) - ZuoRAT Detection.</description>
<mitre>
<id>T1059</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_anomaly,</group>
</rule>
<rule id="xxxxxx" level="12">
<if_sid>61603</if_sid>
<field name="win.eventdata.image">OneDriverUpdaterService.exe$</field>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - ZuoRAT Detection.</description>
<mitre>
<id>T1204</id>
</mitre>
<options>no_full_log</options>
<group>sysmon_anomaly</group>
</rule>

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).