Potential EmpireMonkey Activity
Detects potential EmpireMonkey APT activity
Sigma rule (View on GitHub)
1title: Potential EmpireMonkey Activity
2id: 10152a7b-b566-438f-a33c-390b607d1c8d
3status: test
4description: Detects potential EmpireMonkey APT activity
5references:
6 - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
7 - https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider
8author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
9date: 2019/04/02
10modified: 2023/03/09
11tags:
12 - attack.defense_evasion
13 - attack.t1218.010
14 - detection.emerging_threats
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 CommandLine|contains|all:
21 - '/e:jscript' # This is a guess since the report doesn't mention the method of execution. This assumes that it is achieved via specifying the execution engine
22 - '\Local\Temp\Errors.bat'
23 condition: selection
24falsepositives:
25 - Unlikely
26level: high
References
-
In 2018-2019, researchers of GReAT analyzed various campaigns that used the same TTPs as the historic FIN7, leading the researchers to believe that this threat actor had remained active despite the 2018 arrests.
Read More -
Publicly known as 'EmpireMonkey', ANTHROPOID SPIDER conducted phishing campaigns in February and March 2019, spoofing French, Norwegian and Belizean financial regulators and institutions. These campaigns used macro-enabled Microsoft documents to deliver the PowerShell Empire post-exploitation framework. ANTHROPOID SPIDER likely enabled a breach that allegedly involved fraudulent transfers over the SWIFT network.
Read More
Related rules
- Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
- Malicious DLL Load By Compromised 3CXDesktopApp
- OilRig APT Schedule Task Persistence - System
- Potential Compromised 3CXDesktopApp Execution
- Potential Compromised 3CXDesktopApp Update Activity