title: APT29 id: 033fe7d6-66d1-4240-ac6b-28908009c71f description: This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks references: - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ tags: - attack.execution - attack.g0016 - attack.t1086 # an old one - attack.t1059 # an old one - attack.t1059.001 author: Florian Roth date: 2018/12/04 modified: 2020/08/26 logsource: category: process_creation product: windows detection: selection: CommandLine: '*-noni -ep bypass $*' condition: selection falsepositives: - unknown level: critical