Potential MuddyWater APT Activity
Detects potential Muddywater APT activity
Sigma rule (View on GitHub)
1title: Potential MuddyWater APT Activity
2id: 36222790-0d43-4fe8-86e4-674b27809543
3status: test
4description: Detects potential Muddywater APT activity
5references:
6 - https://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-03-10
9tags:
10 - attack.defense-evasion
11 - attack.execution
12 - attack.g0069
13 - detection.emerging-threats
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_mshta:
19 CommandLine|contains|all:
20 - 'vbscript:Close(Execute("CreateObject('
21 - 'powershell'
22 - '-w 1 -exec Bypass'
23 - '\ProgramData\'
24 selection_survey:
25 CommandLine|contains|all:
26 - 'Win32_OperatingSystem'
27 - 'Win32_NetworkAdapterConfiguration'
28 - 'root\SecurityCenter2'
29 - '[System.Net.DNS]'
30 selection_pwsh_backdoor:
31 CommandLine|contains|all:
32 - '[Convert]::ToBase64String'
33 - '[System.Text.Encoding]::UTF8.GetString]'
34 - 'GetResponse().GetResponseStream()'
35 - '[System.Net.HttpWebRequest]::Create('
36 - '-bxor '
37 condition: 1 of selection_*
38falsepositives:
39 - Unlikely
40level: high
References
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- CMSTP Execution Process Access
- CMSTP Execution Process Creation
- CMSTP Execution Registry Event
- Fireball Archer Install