Techniques
Sample rules
Windows SoftEther VPN Masquerading as Legitimate Binary
- source: splunk
- technicques:
- T1036
- T1572
Description
Flax Typhoon actors have been identified downloading and using SoftEther VPN software to obfuscate their activity. This searches for the SoftEther VPN binary running with the obfuscated binary names they use for the process.
Detection logic
`sysmon`
EventID=1
process IN (
"*conhost.exe*",
"*dllhost.exe*"
)
AND
(
Company="*SoftEther*"
OR
OriginalFileName="vpnbridge*.exe"
)
| fillnull
| stats count min(_time) as firstTime
max(_time) as lastTime
by Computer EventID Company process action dest original_file_name
parent_process parent_process_exec parent_process_guid parent_process_id
parent_process_name parent_process_path process_hash process_integrity_level user
user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_softether_vpn_masquerading_as_legitimate_binary_filter`