SigmaHQ/wazuh/rules/sigma_win_apt_apt29_thinktanks.yml

alert:
- debug
description: This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks
filter:
- query:
    query_string:
      query: data.win.eventdata.commandLine.keyword:*\-noni\ \-ep\ bypass\ $*
index: wazuh-alerts-3.x-*
name: 033fe7d6-66d1-4240-ac6b-28908009c71f_0
priority: 1
realert:
  minutes: 0
type: any
123 2020-12-02 22:43:30 +00:00			`alert:`
			`- debug`
			`description: This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks`
			`filter:`
			`- query:`
			`query_string:`
			`query: data.win.eventdata.commandLine.keyword:\-noni\ \-ep\ bypass\ $`
			`index: wazuh-alerts-3.x-*`
			`name: 033fe7d6-66d1-4240-ac6b-28908009c71f_0`
			`priority: 1`
			`realert:`
			`minutes: 0`
			`type: any`