holisticinfosec/rules_windows_nobellium_filedrop.json

## rules_windows_nobellium_filedrop.json
[
        {
            "title": "NOBELLIUM FoggyWeb File Drop Sysmon",
            "description": "After compromising an AD FS server, NOBELIUM was observed dropping version.dll on the system.",
            "author": "Russ McRee (holisticinfosec), Florian Roth, (@cyb3rops)",
            "tags": [
                "attack.persistence",
                "attack.defense_evasion"
            ],
            "level": "critical",
            "rule": [
                "SELECT * FROM logs WHERE (EventID = \"11\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND TargetFilename LIKE \"%C:\\\\Windows\\\\ADFS\\\\version.dll\" ESCAPE '\\')"
            ]
    	}
]
	[
	{
	"title": "NOBELLIUM FoggyWeb File Drop Sysmon",
	"description": "After compromising an AD FS server, NOBELIUM was observed dropping version.dll on the system.",
	"author": "Russ McRee (holisticinfosec), Florian Roth, (@cyb3rops)",
	"tags": [
	"attack.persistence",
	"attack.defense_evasion"
	],
	"level": "critical",
	"rule": [
	"SELECT * FROM logs WHERE (EventID = \"11\" AND Channel = \"Microsoft-Windows-Sysmon/Operational\" AND TargetFilename LIKE \"%C:\\\\Windows\\\\ADFS\\\\version.dll\" ESCAPE '\\')"
	]
	}
	]