Operation Wocao Activity - Security
Detects activity mentioned in Operation Wocao report
Sigma rule (View on GitHub)
1title: Operation Wocao Activity - Security
2id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
3status: test
4description: Detects activity mentioned in Operation Wocao report
5references:
6 - https://web.archive.org/web/20200226212615/https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
7 - https://web.archive.org/web/20200226212615/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf
8 - https://twitter.com/SBousseaden/status/1207671369963646976
9author: Florian Roth (Nextron Systems), frack113
10date: 2019/12/20
11modified: 2022/11/27
12tags:
13 - attack.discovery
14 - attack.t1012
15 - attack.defense_evasion
16 - attack.t1036.004
17 - attack.t1027
18 - attack.execution
19 - attack.t1053.005
20 - attack.t1059.001
21 - detection.emerging_threats
22logsource:
23 product: windows
24 service: security
25detection:
26 selection:
27 EventID: 4799
28 TargetUserName|startswith: 'Administr'
29 CallerProcessName|endswith: '\checkadmin.exe'
30 condition: selection
31falsepositives:
32 - Administrators that use checkadmin.exe tool to enumerate local administrators
33level: high
References
-
Operation Wocao (我�, “Wǒ cāo�, used as “shit� or “damn�) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group. This report details the...
Read More -
COLLECTED BY This is a Collection of URLs (and Outlinked URLs) extracted from a random feed of 1% of all Tweets. TIMESTAMPS The Wayback Machine - https://web.archive.org/web/20200215212348/https://...
Read More -
Related rules
- Operation Wocao Activity
- Potential Emotet Activity
- Turla Group Commands May 2020
- Greenbug Espionage Group Indicators
- Invoke-Obfuscation CLIP+ Launcher