valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3ef930b094
SigmaHQ/rules/apt/apt_apt29_thinktanks.yml

33 lines
963 B
YAML
Raw Blame History

---
action: global
title: APT29
description: 'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks'
references:
- https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
logsource:
product: windows
author: Florian Roth
date: 2018/12/04
detection:
condition: selection
falsepositives:
- unknown
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: '*-noni -ep bypass $*'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*-noni -ep bypass $*'
Reference in New Issue View Git Blame Copy Permalink