SigmaHQ/rules/windows/process_creation/win_apt_apt29_thinktanks.yml

title: APT29
id: 033fe7d6-66d1-4240-ac6b-28908009c71f
description: This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks
references:
    - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
tags:
    - attack.execution
    - attack.g0016
    - attack.t1086 # an old one
    - attack.t1059 # an old one
    - attack.t1059.001
author: Florian Roth
date: 2018/12/04
modified: 2020/08/26
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all: 
            - '-noni' 
            - '-ep'
            - 'bypass'
            - '$'
    condition: selection
falsepositives:
    - unknown
level: critical
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`title: APT29`
			`id: 033fe7d6-66d1-4240-ac6b-28908009c71f`
			`description: This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks`
Rule: APT29 campaign against US think tanks https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ 2018-12-04 16:04:03 +00:00			`references:`
			`- https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/`
add tags to apt29 thinktanks rule 2019-03-13 09:22:41 +00:00			`tags:`
			`- attack.execution`
			`- attack.g0016`
att&ck tags review: windows/process_creation part 1, network 2020-08-27 17:43:47 +00:00			`- attack.t1086 # an old one`
			`- attack.t1059 # an old one`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1059.001`
Rule: APT29 campaign against US think tanks https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ 2018-12-04 16:04:03 +00:00			`author: Florian Roth`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`date: 2018/12/04`
att&ck tags review: windows/process_creation part 1, network 2020-08-27 17:43:47 +00:00			`modified: 2020/08/26`
Rule: APT29 campaign against US think tanks https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ 2018-12-04 16:04:03 +00:00			`logsource:`
updated to use process_creation 2019-03-02 18:05:15 +00:00			`category: process_creation`
Rule: APT29 campaign against US think tanks https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ 2018-12-04 16:04:03 +00:00			`product: windows`
			`detection:`
			`selection:`
Update win_apt_apt29_thinktanks.yml 2020-10-28 02:24:04 +00:00			`CommandLine\|contains\|all:`
			`- '-noni'`
			`- '-ep'`
			`- 'bypass'`
			`- '$'`
updated to use process_creation 2019-03-02 18:05:15 +00:00			`condition: selection`
			`falsepositives:`
			`- unknown`
			`level: critical`