2018-12-03 07:42:29 +00:00
|
|
|
action: global
|
|
|
|
|
title: TropicTrooper Campaign November 2018
|
|
|
|
|
status: stable
|
|
|
|
|
description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
|
|
|
|
|
references:
|
|
|
|
|
- https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
|
2018-12-05 10:59:10 +00:00
|
|
|
author: "@41thexplorer, Windows Defender ATP"
|
2018-12-03 07:42:29 +00:00
|
|
|
date: 2018/11/30
|
2018-12-11 15:10:15 +00:00
|
|
|
modified: 2018/12/11
|
2018-12-03 07:42:29 +00:00
|
|
|
tags:
|
|
|
|
|
- attack.execution
|
|
|
|
|
- attack.t1085
|
|
|
|
|
detection:
|
|
|
|
|
condition: selection
|
|
|
|
|
level: high
|
|
|
|
|
---
|
|
|
|
|
# Windows Security Eventlog: Process Creation with Full Command Line
|
|
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
service: security
|
|
|
|
|
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
|
|
|
|
|
detection:
|
|
|
|
|
selection:
|
|
|
|
|
EventID: 4688
|
2018-12-11 15:10:15 +00:00
|
|
|
ProcessCommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
|
2018-12-03 07:42:29 +00:00
|
|
|
---
|
|
|
|
|
# Sysmon: Process Creation (ID 1)
|
|
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
service: sysmon
|
|
|
|
|
detection:
|
|
|
|
|
selection:
|
|
|
|
|
EventID: 1
|
|
|
|
|
CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
|
