SigmaHQ/rules/apt/apt_apt29_thinktanks.yml

title: APT29 
description: 'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks' 
references:
    - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
author: Florian Roth
date: 2018/12/04 
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine: '*-noni -ep bypass $*'
    condition: selection
falsepositives:
    - unknown
level: critical