SigmaHQ/rules/windows/process_creation/win_apt_apt29_thinktanks.yml

25 lines
762 B
YAML
Raw Normal View History

2019-11-12 22:12:27 +00:00
title: APT29
id: 033fe7d6-66d1-4240-ac6b-28908009c71f
description: This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks
references:
- https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
2019-03-13 09:22:41 +00:00
tags:
- attack.execution
- attack.g0016
- attack.t1086 # an old one
- attack.t1059 # an old one
2020-06-16 20:46:08 +00:00
- attack.t1059.001
author: Florian Roth
2020-06-16 20:46:08 +00:00
date: 2018/12/04
modified: 2020/08/26
logsource:
2019-03-02 18:05:15 +00:00
category: process_creation
product: windows
detection:
selection:
CommandLine: '*-noni -ep bypass $*'
2019-03-02 18:05:15 +00:00
condition: selection
falsepositives:
- unknown
level: critical