Potential MuddyWater APT Activity
Detects potential Muddywater APT activity
Sigma rule (View on GitHub)
1title: Potential MuddyWater APT Activity
2id: 36222790-0d43-4fe8-86e4-674b27809543
3status: test
4description: Detects potential Muddywater APT activity
5references:
6 - https://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-03-10
9tags:
10 - attack.defense-evasion
11 - attack.execution
12 - attack.g0069
13 - detection.emerging-threats
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_mshta:
19 CommandLine|contains|all:
20 - 'vbscript:Close(Execute("CreateObject('
21 - 'powershell'
22 - '-w 1 -exec Bypass'
23 - '\ProgramData\'
24 selection_survey:
25 CommandLine|contains|all:
26 - 'Win32_OperatingSystem'
27 - 'Win32_NetworkAdapterConfiguration'
28 - 'root\SecurityCenter2'
29 - '[System.Net.DNS]'
30 selection_pwsh_backdoor:
31 CommandLine|contains|all:
32 - '[Convert]::ToBase64String'
33 - '[System.Text.Encoding]::UTF8.GetString]'
34 - 'GetResponse().GetResponseStream()'
35 - '[System.Net.HttpWebRequest]::Create('
36 - '-bxor '
37 condition: 1 of selection_*
38falsepositives:
39 - Unlikely
40level: high
References
-
Ability to sleep for a given number of seconds. The following table summarizes the main C2 commands supported by this PowerShell Script. C2 Command Purpose reboot Reboot the system using shutdown c...
Read More
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- CMSTP Execution Process Access
- CMSTP Execution Process Creation
- CMSTP Execution Registry Event
- CMSTP UAC Bypass via COM Object Access